Cisco Aironet Access Points Configuration Guide for Cisco IOS Software Cisco IOS Release 15.2(4)JB3a Cisco Systems, Inc. www.cisco.com Cisco has more than 200 offices worldwide. Addresses, phone numbers, and fax numbers are listed on the Cisco website at www.cisco.com/go/offices.
THE SPECIFICATIONS AND INFORMATION REGARDING THE PRODUCTS IN THIS MANUAL ARE SUBJECT TO CHANGE WITHOUT NOTICE. ALL STATEMENTS, INFORMATION, AND RECOMMENDATIONS IN THIS MANUAL ARE BELIEVED TO BE ACCURATE BUT ARE PRESENTED WITHOUT WARRANTY OF ANY KIND, EXPRESS OR IMPLIED. USERS MUST TAKE FULL RESPONSIBILITY FOR THEIR APPLICATION OF ANY PRODUCTS.
CONTENTS Preface xix Audience Purpose i-xix i-xx Configuration Procedures and Examples Organization i-xx Conventions i-xxii Related Publications i-xx i-xxii Obtaining Documentation, Obtaining Support, and Security Guidelines CHAPTER 1 Overview of Access Point Features Radios in Access Points 1-1 1-1 New Features and Platforms in a Release Management Options Roaming Client Devices 1-2 1-2 1-2 Network Configuration Examples 1-2 Root Access Point 1-3 Repeater Access Point 1-3 Bridges 1-4 Wo
Contents CHAPTER 3 Using the Command-Line Interface Cisco IOS Command Modes Getting Help 3-1 3-2 3-3 Abbreviating Commands 3-3 Using the no and Default Forms of Commands Understanding CLI Messages 3-4 3-4 Using Command History 3-4 Changing the Command History Buffer Size 3-5 Recalling Commands 3-5 Disabling the Command History Feature 3-5 Using Editing Features 3-6 Enabling and Disabling Editing Features 3-6 Editing Commands Through Keystrokes 3-6 Editing Command Lines that Wrap 3-7 Searching an
Contents Limitations of Security Settings CLI Configuration Examples 4-15 4-16 Configuring System Power Settings Access Points 4-22 Using the AC Power Adapter 4-22 Using a Switch Capable of IEEE 802.3af Power Negotiation 4-22 Using a Switch That Does Not Support IEEE 802.3af Power Negotiation 4-23 Using a Power Injector 4-23 dot11 extension power native Command 4-23 Support for 802.11n Performance on 1250 Series Access Points with Standard 802.3af PoE 1250 Series Power Modes 4-23 Support for 802.
Contents Setting the Privilege Level for a Command 5-8 Logging Into and Exiting a Privilege Level 5-9 Configuring Easy Setup 5-9 Configuring Spectrum Expert Mode 5-10 Controlling Access Point Access with RADIUS 5-11 Default RADIUS Configuration 5-12 Configuring RADIUS Login Authentication 5-12 Defining AAA Server Groups 5-14 Configuring RADIUS Authorization for User Privileged Access and Network Services 5-16 Displaying the RADIUS Configuration 5-17 Controlling Access Point Access with TACACS+ 5-17 D
Contents Setting the System Clock 5-31 Displaying the Time and Date Configuration 5-32 Configuring the Time Zone 5-32 Configuring Summer Time (Daylight Saving Time) 5-33 Defining HTTP Access 5-35 Configuring a System Name and Prompt 5-35 Default System Name and Prompt Configuration Configuring a System Name 5-35 Understanding DNS 5-36 Default DNS Configuration 5-36 Setting Up DNS 5-37 Displaying the DNS Configuration 5-38 Creating a Banner 5-38 Default Banner Configuration 5-38 Configuring a Message-of-t
Contents Channel Widths for 802..11n 6-17 Dynamic Frequency Selection 6-18 Radar Detection on a DFS Channel 6-19 CLI Commands 6-19 Confirming that DFS is Enabled 6-20 Configuring a Channel 6-20 Blocking Channels from DFS Selection 6-21 Setting the 802.
Contents CHAPTER 7 Configuring Multiple SSIDs 7-1 Understanding Multiple SSIDs 7-2 Effect of Software Versions on SSIDs 7-2 Configuring Multiple SSIDs 7-4 Default SSID Configuration 7-4 Creating an SSID Globally 7-4 Viewing SSIDs Configured Globally 7-6 Using Spaces in SSIDs 7-6 Using a RADIUS Server to Restrict SSIDs 7-7 Configuring Multiple Basic SSIDs 7-8 Requirements for Configuring Multiple BSSIDs Guidelines for Using Multiple BSSIDs 7-8 Configuring Multiple BSSIDs 7-8 CLI Configuration Example
Contents Configuring STP Settings 8-9 STP Configuration Examples 8-10 Root Bridge Without VLANs 8-10 Non-Root Bridge Without VLANs 8-11 Root Bridge with VLANs 8-11 Non-Root Bridge with VLANs 8-13 Displaying Spanning-Tree Status CHAPTER 9 8-14 Configuring an Access Point as a Local Authenticator Understanding Local Authentication 9-1 9-2 Configuring a Local Authenticator 9-2 Guidelines for Local Authenticators 9-3 Configuration Overview 9-3 Configuring the Local Authenticator Access Point 9-3 Configu
Contents EAP Authentication to the Network 11-4 MAC Address Authentication to the Network 11-5 Combining MAC-Based, EAP, and Open Authentication 11-6 Using CCKM for Authenticated Clients 11-6 Using WPA Key Management 11-7 Software and Firmware Requirements for WPA, CCKM, CKIP, and WPA-TKIP Configuring Authentication Types 11-10 Assigning Authentication Types to an SSID 11-10 Configuring WPA Migration Mode 11-13 Configuring Additional WPA Settings 11-14 Configuring MAC Authentication Caching 11-15 Configuri
Contents Viewing WDS Information 12-20 Using Debug Messages 12-21 Configuring Fast Secure Roaming 12-21 Requirements for Fast Secure Roaming 12-21 Configuring Access Points to Support Fast Secure Roaming CLI Configuration Example 12-24 Support for 802.
Contents Configuring the Access Point for Vendor-Proprietary RADIUS Server Communication Configuring WISPr RADIUS Attributes 13-18 Displaying the RADIUS Configuration 13-19 RADIUS Attributes Sent by the Access Point 13-20 Configuring and Enabling TACACS+ 13-23 Understanding TACACS+ 13-23 TACACS+ Operation 13-24 Configuring TACACS+ 13-24 Default TACACS+ Configuration 13-25 Identifying the TACACS+ Server Host and Setting the Authentication Key 13-25 Configuring TACACS+ Login Authentication 13-26 Configuring
Contents The QoS Policies Advanced Page 15-10 QoS Element for Wireless Phones 15-10 IGMP Snooping 15-11 AVVID Priority Mapping 15-11 WiFi Multimedia (WMM) 15-11 Rate Limiting 15-11 Adjusting Radio Access Categories 15-12 Configuring Nominal Rates 15-13 Optimized Voice Settings 15-14 Configuring Call Admission Control 15-14 QoS Configuration Examples 15-15 Giving Priority to Voice Traffic 15-15 Giving Priority to Video Traffic 15-16 CHAPTER 16 Configuring Filters 16-1 Understanding Filters 16-2 Confi
Contents CHAPTER 18 Configuring SNMP 18-1 Understanding SNMP 18-2 SNMP Versions 18-2 SNMP Manager Functions 18-3 SNMP Agent Functions 18-4 SNMP Community Strings 18-4 Using SNMP to Access MIB Variables 18-4 Configuring SNMP 18-5 Default SNMP Configuration 18-5 Enabling the SNMP Agent 18-5 Configuring Community Strings 18-6 Specifying SNMP-Server Group Names 18-7 Configuring SNMP-Server Hosts 18-8 Configuring SNMP-Server Users 18-8 Configuring Trap Managers and Enabling Traps 18-8 Setting the Agent Co
Contents Ignoring the CCX Neighbor List Configuring a Client VLAN 19-18 Workgroup Bridge VLAN Tagging 19-18 19-18 Configuring Workgroup Bridge Mode 19-19 Using Workgroup Bridges in a Lightweight Environment 19-21 Guidelines for Using Workgroup Bridges in a Lightweight Environment Sample Workgroup Bridge Configuration 19-23 Enabling VideoStream Support on Workgroup Bridges 19-23 CHAPTER 20 Managing Firmware and Configurations 19-21 20-1 Working with the Flash File System 20-1 Displaying Available
Contents Clearing Configuration Information 20-17 Deleting a Stored Configuration File 20-18 Working with Software Images 20-18 Image Location on the Access Point 20-18 tar File Format of Images on a Server or Cisco.
Contents CHAPTER 22 Troubleshooting 22-1 Checking the LED Indicators Checking Power 22-2 22-2 Low Power Condition 22-2 Checking Basic Settings 22-3 SSID 22-3 WEP Keys 22-3 Security Settings 22-3 Resetting to the Default Configuration Using the MODE Button 22-4 Using the Web Browser Interface Using the CLI 22-5 22-4 22-5 Reloading the Access Point Image 22-6 Using the MODE button 22-7 Using the Web Browser Interface 22-7 Browser HTTP Interface 22-8 Browser TFTP Interface 22-8 Using the CLI 22-9
Contents WDS Messages C-24 Mini IOS Messages C-25 Access Point/Bridge Messages C-26 Cisco Discovery Protocol Messages C-26 External Radius Server Error Messages LWAPP Error Messages Sensor Messages C-27 C-28 SNMP Error Messages SSH Error Messages C-26 C-29 C-30 GLOSSARY Cisco IOS Software Configuration Guide for Cisco Aironet Access Points OL-29225-01 17
Contents Cisco IOS Software Configuration Guide for Cisco Aironet Access Points 18 OL-29225-01
Preface Audience This guide is for the networking professional who installs and manages Cisco Aironet Access Points in Autonomous mode. To use this guide, you should have experience working with the Cisco IOS software and be familiar with the concepts and terminology of wireless local area networks. The guide covers Cisco IOS Releases 15.2(4)JB3a.
Purpose – Enable and disable the radios – Manually set basic and supported transmission rates – Enable advertised cell power in beacons to client, to enable DTPC for doing active surveys – Enable and disable SSID broadcast in beacons – Enable open authentication Purpose This guide provides the information you need to install and configure your access point. This guide provides procedures for using the Cisco IOS software commands that have been created or changed for use with the access point.
Organization Chapter 5, “Administering the Access Point,” describes how to perform one-time operations to administer your access point, such as preventing unauthorized access to the access point, setting the system date and time, and setting the system name and prompt. Chapter 6, “Configuring Radio Settings,” describes how to configure settings for the access point radio such as the role in the radio network, transmit power, channel settings, and others.
Conventions Appendix B, “Supported MIBs,” lists the Simple Network Management Protocol (SNMP) Management Information Bases (MIBs) that the access point supports for this software release. Appendix C, “Error and Event Messages,” lists the CLI error and event messages and provides an explanation and recommended action for each message.
Obtaining Documentation, Obtaining Support, and Security Guidelines – Installation Instructions for Cisco Aironet Power Injectors – Access Point Deployment Guide – Cisco Aironet 802.
Obtaining Documentation, Obtaining Support, and Security Guidelines Cisco IOS Software Configuration Guide for Cisco Aironet Access Points -xxiv OL-30644-01
CH A P T E R 1 Overview of Access Point Features Cisco Aironet Access Points (hereafter called access points, or abbreviated as APs) provide a secure, affordable, and easy-to-use wireless LAN solution that combines mobility and flexibility with the enterprise-class features required by networking professionals. With a management system based on Cisco IOS software, Cisco Aironet access points are Wi-Fi certified, and depending on the specific model are 802.11a-compliant, 802.11b-compliant, 802.
Chapter 1 Overview of Access Point Features New Features and Platforms in a Release New Features and Platforms in a Release For information on the new features and updates to existing features in this release, see the Release Notes for Cisco Aironet Access Points and Bridges for Cisco IOS Release 15.2(4)JB3a.
Chapter 1 Overview of Access Point Features Network Configuration Examples Root Access Point An access point connected directly to a wired LAN provides a connection point for wireless users. If more than one access point is connected to the LAN, users can roam from one area of a facility to another without losing their connection to the network. As users move out of range of one access point, they automatically connect to the network (associate) through another access point.
Chapter 1 Overview of Access Point Features Network Configuration Examples Figure 1-2 Access Point as Repeater Repeater 135444 Access point Bridges Access points can be configured as root or non-root bridges. In this role, an access point establishes a wireless link with a non-root bridge. Traffic is passed over the link to the wired LAN. Access points in root and non-root bridge roles can be configured to accept associations from clients.
Chapter 1 Overview of Access Point Features Network Configuration Examples Access Points as Root and Non-root Bridges with Clients 135446 Figure 1-4 Root bridge Non-root bridge Workgroup Bridge You can configure access points as workgroup bridges. In workgroup bridge mode, the unit associates to another access point as a client and provides a network connection for the devices connected to its Ethernet port.
Chapter 1 Overview of Access Point Features Network Configuration Examples Central Unit in an All-Wireless Network In an all-wireless network, an access point acts as a stand-alone root unit. The access point is not attached to a wired LAN; it functions as a hub linking all stations together. The access point serves as the focal point for communications, increasing the communication range of wireless users. Figure 1-6 shows an access point in an all-wireless network.
CH A P T E R 2 Using the Web-Browser Interface This chapter describes the web-browser interface that you can use to configure the wireless device.
Chapter 2 Using the Web-Browser Interface Using the Web-Browser Interface for the First Time Using the Web-Browser Interface for the First Time Use the wireless device IP address to browse to the management system. See the “Logging into the Access Point” section on page 4-4 for instructions on assigning an IP address to the wireless device. Follow these steps to begin using the web-browser interface: Step 1 Start the browser.
Chapter 2 Using the Web-Browser Interface Using the Management Pages in the Web-Browser Interface Figure 2-1 Web-Browser Interface Home Page Using Action Buttons Table 2-1 lists the page links and buttons that appear on the management page.
Chapter 2 Using the Web-Browser Interface Using the Management Pages in the Web-Browser Interface Table 2-1 Buttons and Links on the Management Page (continued) Button/Link Description Services Displays status for several wireless device features and links to configuration pages for Telnet/SSH, CDP, domain name server, filters, QoS, SNMP, SNTP, and VLANs. Management Displays a list of current guest users and provides links to configuration pages for guest users and web authentication pages.
Chapter 2 Using the Web-Browser Interface Enabling HTTPS for Secure Browsing Enabling HTTPS for Secure Browsing You can protect the communication with the access point web-browser interface by enabling HTTPS. HTTPS protects HTTP browser sessions by using the Secure Socket Layer (SSL) protocol. Note When you enable HTTPS, your browser might lose its connection to the access point.
Chapter 2 Using the Web-Browser Interface Enabling HTTPS for Secure Browsing Step 12 In the Domain Name field, enter a domain name, and then click Apply. Note Enabling HTTPS automatically disables HTTP. To maintain HTTP access with HTTPS enabled, check the Enable Secure (HTTPS) Browsing check box, and then check the Enable Standard (HTTP) Browsing check box. Although you can enable both standard HTTP and HTTPS, we recommend that you enable only one.
Chapter 2 Using the Web-Browser Interface Using Online Help AP(config)# end In this example, the access point system name is ap3600, the domain name is company.com, and the IP address of the DNS server is 10.91.107.18. For complete descriptions of the commands used in this example, consult the Cisco IOS Commands Master List, Release 12.4. Click this link to browse to the master list of commands: http://www.cisco.com/univercd/cc/td/doc/product/software/ios124/124mindx/124htnml.
Chapter 2 Using the Web-Browser Interface Disabling the Web-Browser Interface Changing the Location of Help Files Cisco maintains up-to-date HTML help files for access points on the Cisco website. By default, the access point opens a help file on Cisco.com when you click the help button on the access point web-browser interface. However, you can install the help files on your network so your access points can access them there.
Chapter 2 Using the Web-Browser Interface Disabling the Web-Browser Interface Cisco IOS Software Configuration Guide for Cisco Aironet Access Points OL-30644-01 2-9
Chapter 2 Using the Web-Browser Interface Disabling the Web-Browser Interface Cisco IOS Software Configuration Guide for Cisco Aironet Access Points 2-10 OL-30644-01
CH A P T E R 3 Using the Command-Line Interface This chapter describes the Cisco IOS command-line interface (CLI) that you can use to configure the wireless device.
Chapter 3 Using the Command-Line Interface Cisco IOS Command Modes Cisco IOS Command Modes The Cisco IOS user interface is divided into many different modes. The commands available to you depend on which mode you are currently in. Enter a question mark (?) at the system prompt to obtain a list of commands available for each command mode. When you start a session on the wireless device, you begin in user mode, often called user EXEC mode. A subset of the Cisco IOS commands are available in user EXEC mode.
Chapter 3 Using the Command-Line Interface Getting Help Getting Help You can enter a question mark (?) at the system prompt to display a list of commands available for each command mode. You can also obtain a list of associated keywords and arguments for any command, as shown in Table 3-2. Table 3-2 Help Summary Command Purpose help Obtains a brief description of the help system in any command mode. abbreviated-command-entry? Obtains a list of commands that begin with a particular character string.
Chapter 3 Using the Command-Line Interface Using the no and Default Forms of Commands Using the no and Default Forms of Commands Most configuration commands also have a no form. In general, use the no form to disable a feature or function or reverse the action of a command. For example, the no shutdown interface configuration command reverses the shutdown of an interface. Use the command without the keyword no to re-enable a disabled feature or to enable a feature that is disabled by default.
Chapter 3 Using the Command-Line Interface Using Command History Changing the Command History Buffer Size By default, the wireless device records ten command lines in its history buffer. Beginning in privileged EXEC mode, enter this command to change the number of command lines that the wireless device records during the current terminal session: ap# terminal history [size number-of-lines] The range is from 0 to 256.
Chapter 3 Using the Command-Line Interface Using Editing Features Using Editing Features This section describes the editing features that can help you manipulate the command line. It contains these sections: • Enabling and Disabling Editing Features, page 3-6 • Editing Commands Through Keystrokes, page 3-6 • Editing Command Lines that Wrap, page 3-7 Enabling and Disabling Editing Features Although enhanced editing mode is automatically enabled, you can disable it.
Chapter 3 Using the Command-Line Interface Using Editing Features Table 3-5 Editing Commands Through Keystrokes (continued) Keystroke1 Capability Purpose Delete entries if you make a mistake Delete or Backspace or change your mind. Ctrl-D Capitalize or lowercase words or capitalize a set of letters. Erase the character to the left of the cursor. Delete the character at the cursor. Ctrl-K Delete all characters from the cursor to the end of the command line.
Chapter 3 Using the Command-Line Interface Searching and Filtering Output of show and more Commands In this example, the access-list global configuration command entry extends beyond one line. When the cursor first reaches the end of the line, the line is shifted ten spaces to the left and redisplayed. The dollar sign ($) shows that the line has been scrolled to the left. Each time the cursor reaches the end of the line, the line is again shifted ten spaces to the left.
Chapter 3 Using the Command-Line Interface Accessing the CLI Accessing the CLI You can open the wireless device CLI using Telnet or Secure Shell (SSH). Opening the CLI with Telnet Follow these steps to open the CLI with Telnet. These steps are for a PC running Microsoft Windows with a Telnet terminal application. Check your PC operating instructions for detailed instructions for your operating system. Step 1 Select Start > Programs > Accessories > Telnet.
Chapter 3 Using the Command-Line Interface Accessing the CLI Cisco IOS Software Configuration Guide for Cisco Aironet Access Points 3-10 OL-30644-01
CH A P T E R 4 Configuring the Access Point for the First Time This chapter describes how to configure basic settings on the wireless device for the first time. The contents of this chapter are similar to the instructions in the quick start guide that shipped with the wireless device.
Chapter 4 Configuring the Access Point for the First Time Before You Start • A system name for the wireless device • The case-sensitive wireless service set identifier (SSID) for your radio network • If not connected to a DHCP server, a unique IP address for the wireless device (such as 172.17.255.
Chapter 4 Configuring the Access Point for the First Time Before You Start Step 5 Click Software and the System Software screen appears. Step 6 Click System Configuration and the System Configuration screen appears. Step 7 Click the Reset to Defaults button to reset all settings, including the IP address, to factory defaults. To reset all settings except the IP address to defaults, click the Reset to Defaults (Except IP) button.
Chapter 4 Configuring the Access Point for the First Time Logging into the Access Point Logging into the Access Point A user can login to the access point using one of the following methods: Note • graphical user interface (GUI) • Telnet (if the AP is configured with an IP address) • console port Not all models of Cisco Aironet Access Points have the console port. If the access point does not have a console port, use either the GUI or the Telnet for access.
Chapter 4 Configuring the Access Point for the First Time Connecting to the 1130 Series Access Point Locally Follow the steps in the “Connecting to the 1130 Series Access Point Locally” section on page 4-5 or in the “Connecting to the 1040, 1140, 1240, 1250, 1260, and 2600 Series Access Points Locally” section on page 4-6 to connect to the console port. – Provide your network administrator with the wireless device Media Access Control (MAC) address.
Chapter 4 Configuring the Access Point for the First Time Connecting to the 1040, 1140, 1240, 1250, 1260, and 2600 Series Access Points Locally Connecting to the 1040, 1140, 1240, 1250, 1260, and 2600 Series Access Points Locally If you need to configure the access point locally (without connecting the access point to a wired LAN), you can connect a PC to its console port using a DB-9 to RJ-45 serial cable.
Chapter 4 Configuring the Access Point for the First Time Default Radio Settings Note Communication takes place between the power injector and the access point/bridge using Ethernet Port 0. Do not attempt to change any of the Ethernet Port 0 settings. Step 3 Connect the power injector to the access point/bridge using dual coaxial cables. Step 4 Connect the power injector power cable and power on the access point/bridge. Step 5 Follow the steps in the “Assigning Basic Settings” section on page 4-7.
Chapter 4 Configuring the Access Point for the First Time Assigning Basic Settings Step 6 Click Network Configuration. Step 7 Enter the Network Configuration settings which you obtained from your system administrator. The configurable settings include: • • Host Name—The host name, while not an essential setting, helps identify the wireless device on your network. The host name appears in the titles of the management system pages. Note You can enter up to 32 characters for the system name.
Chapter 4 Configuring the Access Point for the First Time Assigning Basic Settings Step 8 Enter the following Radio Configuration settings for the radio bands supported by the access point. Both the 2.4 GHz and 5 GHz radios have the following options: • SSID—Type the SSID in the SSID entry field. The SSID can contain up to 32 alphanumeric characters. – Broadcast SSID in Beacon—To allow devices without a specified SSID to associate with the access point, select this check box.
Chapter 4 Configuring the Access Point for the First Time Assigning Basic Settings • Role in Radio Network—Click the button that describes the role of the wireless device on your network. Select Access Point (Root) if the wireless device is connected to the wired LAN. Select Repeater (Non-Root) if it is not connected to the wired LAN.The only role supported on the Airlink is root.
Chapter 4 Configuring the Access Point for the First Time Assigning Basic Settings – For the 2.4 GHz radio, the relevant options are Least-Congested, channel 1-2412, channel 2-2417, channel 3-2422, channel 4-2427, channel 5-2432, channel 6-2437, channel 7-2442, channel 8-2447, channel 9-2452, channel 10-2457, and channel 11-2462.
Chapter 4 Configuring the Access Point for the First Time Assigning Basic Settings Table 4-1 Default Settings on the Express Setup Page (continued) Setting Default VLAN No VLAN Security No Security Role in Radio Network (for each radio installed) Access point Optimize Radio Network for Default Aironet Extensions Enable Channel Least-Congested (for 2.
Chapter 4 Configuring the Access Point for the First Time Assigning Basic Settings Express Security page encryption settings and authentication types are linked. Without VLANs, encryption settings (WEP and ciphers) apply to an interface, such as the 2.4-GHz radio, and you cannot use more than one encryption setting on an interface.
Chapter 4 Configuring the Access Point for the First Time Assigning Basic Settings Table 4-2 Security Types on Express Security Setup Page (continued) Security Type Description Security Features Enabled EAP Authentication This option enables 802.1X authentication (such as LEAP, PEAP, EAP-TLS, EAP-FAST, EAP-TTLS, EAP-GTC, EAP-SIM, and other 802.1X/EAP based products) Mandatory 802.1X authentication. Client devices that associate using this SSID must perform 802.1X authentication.
Chapter 4 Configuring the Access Point for the First Time Assigning Basic Settings Limitations of Security Settings The security settings in the Easy Setup Radio Configuration section are designed for simple configuration of basic security. The options available are a subset of the wireless device security capabilities. Keep these limitations in mind when using the Express Security page: • If the No VLAN option is selected, the static WEP key can be configured once.
Chapter 4 Configuring the Access Point for the First Time CLI Configuration Examples CLI Configuration Examples The examples in this section show the CLI commands that are equivalent to creating SSIDs using each security type. This section contains these example configurations: • Example: No Security for Radio 2.4GHz, page 4-16 • Example: Static WEP for Radio 2.4 GHz, page 4-17 • Example: EAP Authentication, page 4-18 • Example: WPA for Radio 2.4GHz, page 4-20 Example: No Security for Radio 2.
Chapter 4 Configuring the Access Point for the First Time CLI Configuration Examples no bridge-group 1 unicast-flooding ! Example: Static WEP for Radio 2.
Chapter 4 Configuring the Access Point for the First Time CLI Configuration Examples no ip route-cache bridge-group 1 bridge-group 1 subscriber-loop-control bridge-group 1 spanning-disabled bridge-group 1 block-unknown-source no bridge-group 1 source-learning no bridge-group 1 unicast-flooding ! interface GigabitEthernet0 no ip address no ip route-cache duplex auto speed auto ! interface GigabitEthernet0.
Chapter 4 Configuring the Access Point for the First Time CLI Configuration Examples ! antenna gain 0 station-role root bridge-group 1 bridge-group 1 subscriber-loop-control bridge-group 1 block-unknown-source no bridge-group 1 source-learning no bridge-group 1 unicast-flooding ! interface Dot11Radio0.
Chapter 4 Configuring the Access Point for the First Time CLI Configuration Examples ipv6 address autoconfig ipv6 enable ! ip forward-protocol nd ip http server no ip http secure-server ip http help-path http://www.cisco.com/warp/public/779/smbiz/prodconfig/help/eag ip radius source-interface BVI1 ! ! radius-server attribute 32 include-in-access-req format %h radius-server vsa send accounting ! radius server 10.10.11.100 address ipv4 10.10.11.
Chapter 4 Configuring the Access Point for the First Time CLI Configuration Examples ! antenna gain 0 station-role root bridge-group 1 bridge-group 1 subscriber-loop-control bridge-group 1 block-unknown-source no bridge-group 1 source-learning no bridge-group 1 unicast-flooding ! interface Dot11Radio0.
Chapter 4 Configuring the Access Point for the First Time Configuring System Power Settings Access Points ipv6 address autoconfig ipv6 enable ! ip forward-protocol nd ip http server no ip http secure-server ip http help-path http://www.cisco.com/warp/public/779/smbiz/prodconfig/help/eag ip radius source-interface BVI1 ! ! radius-server attribute 32 include-in-access-req format %h radius-server vsa send accounting ! radius server 10.10.11.100 address ipv4 10.10.11.
Chapter 4 Configuring the Access Point for the First Time Configuring System Power Settings Access Points Using a Switch That Does Not Support IEEE 802.3af Power Negotiation If you use a switch to provide Power over Ethernet (PoE) to the 1040, 1130, or 1140 access point, and the switch does not support the IEEE 802.3af power negotiation standard, select Pre-Standard Compatibility on the System Software: System Configuration page.
Chapter 4 Configuring the Access Point for the First Time Support for 802.11ac in 3600 series Access Points Table 4-3 Inline Power Options based on Access Point Radio Configuration Maximum Transmit Power (dBm)1 Data Rate Number of Transmitters Cyclic Shift 802.3af Diversity Mode (CSD) (15.4W) Enhanced PoE Power Optimized Mode (16.8 W) Enhanced PoE Mode (20 W) 802.11b 1 N/A 20 20 20 802.11g 1 N/A 17 17 17 2.4 GHz 802.
Chapter 4 Configuring the Access Point for the First Time Support for 802.11ac in 3600 series Access Points The following points must be kept in mind while configuring 802.11ac radios: • The 802.11ac radio depends on the 802.11n radio to be fully functional. Shutting down the 802.11n radio will affect the 802.11ac functionalities. • 802.11n and 802.11ac radios operate in the same band.
Chapter 4 Configuring the Access Point for the First Time Assigning an IP Address Using the CLI Assigning an IP Address Using the CLI When you connect the wireless device to the wired LAN, the wireless device links to the network using a bridge virtual interface (BVI) that it creates automatically. Instead of tracking separate IP addresses for the wireless device Ethernet and radio ports, the network uses the BVI.
Chapter 4 Configuring the Access Point for the First Time Configuring the 802.1X Supplicant their network connection used by an outsider. Second, when a repeater access point is incorporated into a wireless network, the repeater access point must authenticate to the root access point in the same way as a client does. Note The 802.1X supplicant is available on 1040, 1130AG, 1140, 1240AG, 1250, 1260, and 1300 series access points. It is not available on 1100 and 1200 series access points.
Chapter 4 Configuring the Access Point for the First Time Configuring the 802.1X Supplicant ap1240AG#config terminal Enter configuration commands, one per line. End with CTRL-Z. ap1240AG(config)# dot1x credentials test ap1240AG(config-dot1x-creden)#username Cisco ap1240AG(config-dot1x-creden)#password Cisco ap1240AG(config-dot1x-creden)#exit ap1240AG(config)# Applying the Credentials to an Interface or SSID Credential profiles are applied to an interface or an SSID in the same way.
Chapter 4 Configuring the Access Point for the First Time Configuring IPv6 Command Purpose Step 1 configure terminal Enter global configuration mode. Step 2 dot11 ssid ssid Enter the 802.11 SSID. The SSID can consist of up to 32 alphanumeric characters. SSIDs are case sensitive. Note The first character cannot contain the !, #, or; character. +,], /, “, TAB, and trailing spaces are invalid characters for SSIDs.
Chapter 4 Configuring the Access Point for the First Time Configuring IPv6 Link-Local Addressses are automatically configured on interface using link-local prefix FE80::/10 (1111 1110 10). The interface identifier is in the modified EUI-64 format. • Anycast can be used only by a router and not the host. Anycast addresses must not be used as the source address of an IPv6 packet.
Chapter 4 Configuring the Access Point for the First Time Configuring IPv6 Beginning in privileged EXEC mode, use the following command to assign a site-local or global address to the interface: ap(config-if)# ipv6 address ipv6-address [eui-64] Note The optional eui-64 keyword is used to utilize the Modified EUI-64 interface ID in the low order 64 bits of the address.
Chapter 4 Configuring the Access Point for the First Time Configuring IPv6 Command Purpose ipv6 nd ? Configures neighbor discovery protocol. ipv6 nd ns-interval value This command is available only on bridge group virtual interface (BVI). Sets the interval between IPv6 neighbor solicitation retransmissions on an interface. ipv6 nd reachable-time value Sets the amount of time that a remote IPv6 node is reachable.
Chapter 4 Configuring the Access Point for the First Time Configuring IPv6 Configuring IPv6 Access Lists IPv6 access lists (ACL) are used to filter traffic and restrict access to the router. IPv6 prefix lists are used to filter routing protocol updates.
Chapter 4 Configuring the Access Point for the First Time Configuring IPv6 IPv6 WDS AP registration The first active IPv6 address is used to register the WDS. Table 4-8 shows different scenarios in the IPv6 WDS AP registration process.
Chapter 4 Configuring the Access Point for the First Time Configuring IPv6 RA filtering RA filtering increases the security of the IPv6 network by dropping RAs coming from wireless clients. RA filtering prevents misconfigured or malicious IPv6 clients from connecting to the network, often with a high priority that takes precedence over legitimate IPv6 routers.
Chapter 4 Configuring the Access Point for the First Time Configuring IPv6 Cisco IOS Software Configuration Guide for Cisco Aironet Access Points 4-36 OL-30644-01
CH A P T E R 5 Administering the Access Point This chapter describes how to administer the wireless device.
Chapter 5 Administering the Access Point Disabling the Mode Button Disabling the Mode Button You can disable the mode button on access points having a console port by using the [no] boot mode-button command. This command prevents password recovery and is used to prevent unauthorized users from gaining access to the access point CLI. Caution This command disables password recovery.
Chapter 5 Administering the Access Point Preventing Unauthorized Access to Your Access Point Preventing Unauthorized Access to Your Access Point You can prevent unauthorized users from reconfiguring the wireless device and viewing configuration information. Typically, you want network administrators to have access to the wireless device while you restrict access to users who connect through a terminal or workstation from within the local network.
Chapter 5 Administering the Access Point Protecting Access to Privileged EXEC Commands Default Password and Privilege Level Configuration Table 5-1 shows the default password and privilege level configuration. Table 5-1 Default Password and Privilege Levels Feature Default Setting Username and password Default username is Cisco and the default password is Cisco. Enable password and privilege level Default password is Cisco. The default is level 15 (privileged EXEC level).
Chapter 5 Administering the Access Point Protecting Access to Privileged EXEC Commands Command Purpose Step 3 end Return to privileged EXEC mode. Step 4 show running-config Verify your entries. Step 5 copy running-config startup-config (Optional) Save your entries in the configuration file. The enable password is not encrypted and can be read in the wireless device configuration file. This example shows how to change the enable password to l1u2c3k4y5.
Chapter 5 Administering the Access Point Protecting Access to Privileged EXEC Commands Protecting Enable and Enable Secret Passwords with Encryption To provide an additional layer of security, particularly for passwords that cross the network or that are stored on a Trivial File Transfer Protocol (TFTP) server, you can use either the enable password or enable secret global configuration commands.
Chapter 5 Administering the Access Point Protecting Access to Privileged EXEC Commands If both the enable and enable secret passwords are defined, users must enter the enable secret password. Use the level keyword to define a password for a specific privilege level. After you specify the level and set a password, give the password only to users who need to have access at this level. Use the privilege level global configuration command to specify commands accessible at various levels.
Chapter 5 Administering the Access Point Protecting Access to Privileged EXEC Commands To disable username authentication for a specific user, use the no username name global configuration command. To disable password checking and allow connections without a password, use the no login line configuration command. You must have at least one username configured and you must have login local set to open a Telnet session to the wireless device.
Chapter 5 Administering the Access Point Configuring Easy Setup Step 3 Command Purpose enable password level level password Specify the enable password for the privilege level. • For level, the range is from 0 to 15. Level 1 is for normal user EXEC mode privileges. • For password, specify a string from 1 to 25 alphanumeric characters. The string cannot start with a number, is case sensitive, and allows spaces but ignores leading spaces. By default, no password is defined.
Chapter 5 Administering the Access Point Configuring Spectrum Expert Mode Network Configuration To configure an access point using the network configuration, enter the values for the following fields: • Hostname • IP Address • Server protocol • IP Subnet • Default Gateway • Admin Login • Admin Password • SNMP Community Radio Configuration To configure an access point using Radio Configuration, configure the following fields: • SSID—a 32 byte string. • Security.
Chapter 5 Administering the Access Point Controlling Access Point Access with RADIUS Step 1 Choose Home > Easy Setup > Network Configuration. Step 2 From the Role in Radio Network drop-down list choose Spectrum. Step 3 Click Apply. Step 4 Launch the Spectrum Expert by clicking on the Spectrum Expert Icon. You can also enable the Spectrum Expert Mode by following these steps: Step 1 Choose Network > Network Interface. Step 2 Click Radio0-802.11n 2G.Hz or Radio0-802.11n 5G.
Chapter 5 Administering the Access Point Controlling Access Point Access with RADIUS RADIUS provides detailed accounting information and flexible administrative control over authentication and authorization processes. RADIUS is facilitated through AAA and can be enabled only through AAA commands. Note For complete syntax and usage information for the commands used in this section, refer to the Cisco IOS Security Command Reference for Release 12.3.
Chapter 5 Administering the Access Point Controlling Access Point Access with RADIUS Step 3 Command Purpose aaa authentication login {default | list-name} method1 [method2...] Create a login authentication method list. • To create a default list that is used when a named list is not specified in the login authentication command, use the default keyword followed by the methods that are to be used in default situations. The default method list is automatically applied to all interfaces.
Chapter 5 Administering the Access Point Controlling Access Point Access with RADIUS Defining AAA Server Groups You can configure the wireless device to use AAA server groups to group existing server hosts for authentication. You select a subset of the configured server hosts and use them for a particular service. The server group is used with a global server-host list, which lists the IP addresses of the selected server hosts.
Chapter 5 Administering the Access Point Controlling Access Point Access with RADIUS Step 3 Command Purpose radius-server host {hostname | ip-address} [auth-port port-number] [acct-port port-number] [timeout seconds] [retransmit retries] [key string] Specify the IP address or host name of the remote RADIUS server host. • (Optional) For auth-port port-number, specify the UDP destination port for authentication requests.
Chapter 5 Administering the Access Point Controlling Access Point Access with RADIUS To remove the specified RADIUS server, use the no radius-server host hostname | ip-address global configuration command. To remove a server group from the configuration list, use the no aaa group server radius group-name global configuration command. To remove the IP address of a RADIUS server, use the no server ip-address server group configuration command.
Chapter 5 Administering the Access Point Controlling Access Point Access with TACACS+ Command Purpose Step 5 show running-config Verify your entries. Step 6 copy running-config startup-config (Optional) Save your entries in the configuration file. To disable authorization, use the no aaa authorization {network | exec} method1 global configuration command. Displaying the RADIUS Configuration To display the RADIUS configuration, use the show running-config privileged EXEC command.
Chapter 5 Administering the Access Point Controlling Access Point Access with TACACS+ Configuring TACACS+ Login Authentication To configure AAA authentication, you define a named list of authentication methods and then apply that list to various interfaces. The method list defines the types of authentication to be performed and the sequence in which they are performed; it must be applied to a specific interface before any of the defined authentication methods are performed.
Chapter 5 Administering the Access Point Controlling Access Point Access with TACACS+ Command Purpose Step 6 end Return to privileged EXEC mode. Step 7 show running-config Verify your entries. Step 8 copy running-config startup-config (Optional) Save your entries in the configuration file. To disable AAA, use the no aaa new-model global configuration command. To disable AAA authentication, use the no aaa authentication login {default | list-name} method1 [method2...
Chapter 5 Administering the Access Point Configuring Ethernet Speed and Duplex Settings To disable authorization, use the no aaa authorization {network | exec} method1 global configuration command. Displaying the TACACS+ Configuration To display TACACS+ server statistics, use the show tacacs privileged EXEC command. Configuring Ethernet Speed and Duplex Settings You can assign the wireless device Ethernet port speed and duplex settings.
Chapter 5 Administering the Access Point Configuring the Access Point for Local Authentication and Authorization AP(config)# wlccp wnm ip address ip-address Enter this command to check the authentication status between the WDS access point and the WNM: AP# show wlccp wnm status Possible statuses are not authenticated, authentication in progress, authentication fail, authenticated, and security keys setup.
Chapter 5 Administering the Access Point Configuring the Authentication Cache and Profile Step 6 Command Purpose username name [privilege level] {password encryption-type password} Enter the local database, and establish a username-based authentication system. Repeat this command for each user. • For name, specify the user ID as one word. Spaces and quotation marks are not allowed. • (Optional) For level, specify the privilege level the user has after gaining access. The range is 0 to 15.
Chapter 5 Administering the Access Point Configuring the Authentication Cache and Profile version 12.3 no service pad service timestamps debug datetime msec service timestamps log datetime msec service password-encryption ! hostname ap ! ! username Cisco password 7 123A0C041104 username admin privilege 15 password 7 01030717481C091D25 ip subnet-zero ! ! aaa new-model ! ! aaa group server radius rad_eap server 192.168.134.
Chapter 5 Administering the Access Point Configuring the Authentication Cache and Profile bridge-group 1 subscriber-loop-control bridge-group 1 block-unknown-source no bridge-group 1 source-learning no bridge-group 1 unicast-flooding bridge-group 1 spanning-disabled ! interface Dot11Radio1 no ip address no ip route-cache shutdown speed basic-6.0 9.0 basic-12.0 18.0 basic-24.0 36.0 48.0 54.
Chapter 5 Administering the Access Point Configuring the Access Point to Provide DHCP Service Configuring the Access Point to Provide DHCP Service These sections describe how to configure the wireless device to act as a DHCP server: • Setting up the DHCP Server, page 5-25 • Monitoring and Maintaining the DHCP Server Access Point, page 5-26 Setting up the DHCP Server By default, access points are configured to receive IP settings from a DHCP server on your network.
Chapter 5 Administering the Access Point Configuring the Access Point to Provide DHCP Service Step 5 Command Purpose lease { days [ hours ] [ minutes ] | infinite } Configure the duration of the lease for IP addresses assigned by the wireless device.
Chapter 5 Administering the Access Point Configuring the Access Point for Secure Shell Table 5-2 Show Commands for DHCP Server Command Purpose show ip dhcp conflict [ address ] Displays a list of all address conflicts recorded by a specific DHCP Server. Enter the wireless device IP address to show conflicts recorded by the wireless device. show ip dhcp database [ url ] Displays recent activity on the DHCP database. Note show ip dhcp server statistics Use this command in privileged EXEC mode.
Chapter 5 Administering the Access Point Configuring the Access Point for Secure Shell Understanding SSH SSH is a protocol that provides a secure, remote connection to a Layer 2 or a Layer 3 device. There are two versions of SSH: SSH Version 1 and SSH Version 2. This software release supports both SSH versions. If you do not specify the version number, the access point defaults to Version 2.
Chapter 5 Administering the Access Point Configuring Client ARP Caching • username cisco privilege 15 password 0 cisco To perform SCP, use the copy run scp://url command. Configuring Client ARP Caching You can configure the wireless device to maintain an ARP cache for associated client devices. Maintaining an ARP cache on the wireless device reduces the traffic load on your wireless LAN. ARP caching is disabled by default.
Chapter 5 Administering the Access Point Managing the System Time and Date Configuring ARP Caching Beginning in privileged EXEC mode, follow these steps to configure the wireless device to maintain an ARP cache for associated clients: Command Purpose Step 1 configure terminal Enter global configuration mode. Step 2 dot11 arp-cache [ optional ] Enable ARP caching on the wireless device.
Chapter 5 Administering the Access Point Managing the System Time and Date http://www.cisco.com/en/US/products/sw/iosswrel/ps1831/products_configuration_guide_chapter0918 6a00800ca66f.html#1001131 If multiple servers are at the same stratum, a configured server is preferred over a broadcast server. If multiple servers pass both tests, the first one to send a time packet is selected.
Chapter 5 Administering the Access Point Managing the System Time and Date Beginning in privileged EXEC mode, follow these steps to set the system clock: Step 1 Command Purpose clock set hh:mm:ss day month year Manually set the system clock using one of these formats: or • For hh:mm:ss, specify the time in hours (24-hour format), minutes, and seconds. The time specified is relative to the configured time zone. • For day, specify the day by date in the month.
Chapter 5 Administering the Access Point Managing the System Time and Date Command Purpose Step 1 configure terminal Enter global configuration mode. Step 2 clock timezone zone hours-offset [minutes-offset] Set the time zone. the wireless device keeps internal time in universal time coordinated (UTC), so this command is used only for display purposes and when the time is manually set. • For zone, enter the name of the time zone to be displayed when standard time is in effect. The default is UTC.
Chapter 5 Administering the Access Point Managing the System Time and Date Command Purpose Step 4 show running-config Verify your entries. Step 5 copy running-config startup-config (Optional) Save your entries in the configuration file. The first part of the clock summer-time global configuration command specifies when summer time begins, and the second part specifies when it ends. All times are relative to the local time zone. The start time is relative to standard time.
Chapter 5 Administering the Access Point Defining HTTP Access Defining HTTP Access By default, 80 is used for HTTP access, and port 443 is used for HTTPS access. These values can be customized by the user. Follow these steps to define the HTTP access. Step 1 From the access point GUI, click Services > HTTP. The Service: HTTP-Web server window appears. Step 2 On this window, enter the desired HTTP and HTTPS port number. If not values are entered in the port number fields, the default values are used.
Chapter 5 Administering the Access Point Configuring a System Name and Prompt Command Purpose Step 1 configure terminal Enter global configuration mode. Step 2 hostname name Manually configure a system name. The default setting is ap. Note When you change the system name, the wireless device radios reset, and associated client devices disassociate and quickly reassociate. Note You can enter up to 63 characters for the system name.
Chapter 5 Administering the Access Point Configuring a System Name and Prompt Table 5-5 Default DNS Configuration Feature Default Setting DNS enable state Disabled. DNS default domain name None configured. DNS servers No name server addresses are configured. Setting Up DNS Beginning in privileged EXEC mode, follow these steps to set up the wireless device to use the DNS: Command Purpose Step 1 configure terminal Enter global configuration mode.
Chapter 5 Administering the Access Point Creating a Banner To remove a domain name, use the no ip domain-name name global configuration command. To remove a name server address, use the no ip name-server server-address global configuration command. To disable DNS on the wireless device, use the no ip domain-lookup global configuration command. Displaying the DNS Configuration To display the DNS configuration information, use the show running-config privileged EXEC command.
Chapter 5 Administering the Access Point Creating a Banner Beginning in privileged EXEC mode, follow these steps to configure a MOTD login banner: Command Purpose Step 1 configure terminal Enter global configuration mode. Step 2 banner motd c message c Specify the message of the day. For c, enter the delimiting character of your choice, such as a pound sign (#), and press the Return key. The delimiting character signifies the beginning and end of the banner text.
Chapter 5 Administering the Access Point Upgrading Autonomous Cisco Aironet Access Points to Lightweight Mode Configuring a Login Banner You can configure a login banner to appear on all connected terminals. This banner appears after the MOTD banner and before the login prompt. Beginning in privileged EXEC mode, follow these steps to configure a login banner: Command Purpose Step 1 configure terminal Enter global configuration mode. Step 2 banner login c message c Specify the login message.
Chapter 5 Administering the Access Point Migrating to Japan W52 Domain Migrating to Japan W52 Domain This utility is used to migrate 802.11a radios from the J52 to W52 domains. The utility operates on the 1130, 1200 (with RM20, RM21, and RM22A radios), and 1240 access points. Migration is not supported on access points that do not ship with 802.11a radios. The following interface global configuration mode CLI command is used to migrate an access point 802.
Chapter 5 Administering the Access Point Migrating to Japan W52 Domain Cisco IOS Software Configuration Guide for Cisco Aironet Access Points 5-42 OL-30644-01
Chapter 5 Administering the Access Point Configuring Multiple VLAN and Rate Limiting for Point-to-Multipoint Bridging Verifying the Migration Use the show controllers command to confirm the migration as shown in this typical example: ap#show controllers dot11Radio 1 ! interface Dot11Radio1 Radio AIR-AP1242A, Base Address 0013.5f0e.d1e0, BBlock version 0.00, Software version 5.95.
Chapter 5 Administering the Access Point Configuring Multiple VLAN and Rate Limiting for Point-to-Multipoint Bridging In a typical scenario, multiple VLAN support permits users to set up point-to-multipoint bridge links with remote sites, with each remote site on a separate VLAN. This configuration provides the user to separate and control traffic to each site. Rate limiting ensures that no remote site consumes more than a specified amount of the entire link band width.
CH A P T E R 6 Configuring Radio Settings This chapter describes how to configure radio settings for the wireless device. This chapter includes the following sections: • Enabling the Radio Interface, page 6-2 • Configuring the Role in Radio Network, page 6-2 • Point-to-point and Multi Point bridging support for 802.
Chapter 6 Configuring Radio Settings Enabling the Radio Interface Enabling the Radio Interface The wireless device radios are disabled by default. Note Beginning with Cisco IOS Release 12.3(8)JA there is no SSID. You must create an SSID before you can enable the radio interface. Beginning in privileged EXEC mode, follow these steps to enable the access point radio: Command Purpose Step 1 configure terminal Enter global configuration mode. Step 2 dot11 ssid ssid Enter the SSID.
Chapter 6 Configuring Radio Settings Configuring the Role in Radio Network Table 6-1 Device Role in Radio Network Configuration (continued) AP 1100 AP 1130 AP 1140 AP 1200 AP 1240 AP 1250 AP 1260 1300 AP/BR Non-root bridge with wireless X clients – – X X X X X X Workgroup bridge X X X X X X X X X Universal workgroup bridge1 X — — X X X X X X Scanner X X X X X X X X X Role in Radio Network AP 1040 1.
Chapter 6 Configuring Radio Settings Configuring the Role in Radio Network Command Step 3 Purpose Set the wireless device role. station-role • Set the role to non-root bridge with or without wireless non-root {bridge | wireless-clients} clients, repeater access point, root access point or bridge, scanner, or workgroup bridge. repeater • Bridge modes are available only on the 1040, 1140, 1200 1240, 1250, and 1260 series access points.
Chapter 6 Configuring Radio Settings Configuring the Role in Radio Network Note When you enable the role in the radio network as a Bridge/workgroup bridge and enable the interface using the no shut command, the physical status and the software status of the interface will be up only if the the device on the other end access point or bridge is up. Otherwise, only the physical status of the device will be up.
Chapter 6 Configuring Radio Settings Configuring the Role in Radio Network Note In point-to-multipoint bridging, WGB is not recommended with the root bridge. WGB should be associated to the root AP in point-to-multipoint bridging setup.
Chapter 6 Configuring Radio Settings Configuring the Role in Radio Network Radio Tracking You can configure the access point to track or monitor the status of one of its radios. It the tracked radio goes down or is disabled, the access point shuts down the other radio. If the tracked radio comes up, the access point enables the other radio.
Chapter 6 Configuring Radio Settings Configuring Radio Data Rates Bridge Features Not Supported The following features are not supported when a 1200 or 1240 series access point is configured as a bridge: • Clear Channel Assessment (CCA) • Interoperability with 1400 series bridge • Concatenation • Install mode • EtherChannel and PageP configuration on switch Configuring Radio Data Rates You use the data rate settings to choose the data rates the wireless device uses for data transmission.
Chapter 6 Configuring Radio Settings Configuring Radio Data Rates to be made based on resources available to the wireless project, type of traffic the users will be passing, service level desired, and as always, the quality of the RF environment.When you enter throughput for the data rate setting, the wireless device sets all four data rates to basic. Note When a wireless network has a mixed environment of 802.11b clients and 802.11g clients, make sure that data rates 1, 2, 5.
Chapter 6 Configuring Radio Settings Configuring Radio Data Rates Step 3 Command Purpose speed Set each data rate to basic or enabled, or enter range to optimize range or throughput to optimize throughput. 802.11b, 2.4-GHz radio: {[1.0] [11.0] [2.0] [5.5] [basic-1.0] [basic-11.0] [basic-2.0] [basic-5.5] | range | throughput} • Enter 1.0, 2.0, 5.5, 6.0, 9.0, 11.0, 12.0, 18.0, 24.0, 36.0, 48.0, and 54.0 to set these data rates to enabled on the 802.11g, 2.4-GHz radio. 802.11g, 2.4-GHz radio: {[1.
Chapter 6 Configuring Radio Settings Configuring MCS Rates Command Purpose speed (continued) On the 802.11n 2.4-GHz radio, the default option sets rates 1.0, 2.0, 5.5, and 11.0 to enabled. On the 802.11n 5-GHz radio, the default option sets rates to 6.0, 12.0, and 24.0 to enabled. The default MCS rate setting for both 802.11n radios is 0–15. Step 4 end Step 5 copy running-config startup-config (Optional) Save your entries in the configuration file. Return to privileged EXEC mode.
Chapter 6 Configuring Radio Settings Configuring Radio Transmit Power Table 6-2 MCS Index Data Rates Based on MCS Settings, Guard Interval, and Channel Width (continued) Guard Interval = 800ns Guard Interval = 400ns 20-MHz Channel Width Data Rate (Mbps) 40-MHz Channel Width Data Rate (Mbps) 20-MHz Channel Width Data Rate (Mbps) 40-MHz Channel Width Data Rate (Mbps) 2 19.5 40.5 21 2/3 45 3 26 54 28 8/9 60 4 39 81 43 1/3 90 5 52 109 57 5/9 120 6 58.5 121.
Chapter 6 Configuring Radio Settings Configuring Radio Transmit Power Step 2 Click Technical Support & Documentation. A small window appears containing a list of technical support links. Step 3 Click Technical Support & Documentation. The Technical Support and Documentation page appears. Step 4 In the Documentation & Tools section, choose Wireless. The Wireless Support Resources page appears. Step 5 In the Wireless LAN Access section, choose the device you are working with.
Chapter 6 Configuring Radio Settings Configuring Radio Transmit Power Step 3 Command Purpose power local Set the transmit power for the 802.11b, 2.4-GHz radio or the 5-GHz radio to one of the power levels allowed in your regulatory domain. These options are available for the 802.11b, 2.
Chapter 6 Configuring Radio Settings Configuring Radio Transmit Power Limiting the Power Level for Associated Client Devices You can also limit the power level on client devices that associate to the wireless device. When a client device associates to the wireless device, the wireless device sends the maximum power level setting to the client. Note Cisco AVVID documentation uses the term Dynamic Power Control (DTPC) to refer to limiting the power level on associated client devices.
Chapter 6 Configuring Radio Settings Configuring Radio Channel Settings Command Purpose Step 4 end Return to privileged EXEC mode. Step 5 copy running-config startup-config (Optional) Save your entries in the configuration file. Use the no form of the client power command to disable the maximum power level for associated clients. Note Aironet extensions must be enabled to limit the power level on associated client devices. Aironet extensions are enabled by default.
Chapter 6 Configuring Radio Settings Configuring Radio Channel Settings Because they change frequently, channel settings are not included in this document. For up-to-date information on channel settings for your access point or bridge, see the Channels and Maximum Power Settings for Cisco Aironet Autonomous Access Points and Bridges. This document is available on cisco.com at the following URL: http://cisco.com/en/US/products/ps6521/tsd_products_support_install_and_upgrade.html Channel Widths for 802..
Chapter 6 Configuring Radio Settings Configuring Radio Channel Settings Dynamic Frequency Selection Access points with 5-GHz radios configured at the factory for use in the United States, Europe, Singapore, Korea, Japan, Israel, and Taiwan now comply with regulations that require radio devices to use Dynamic Frequency Selection (DFS) to detect radar signals and avoid interfering with them. When an access points detects a radar on a certain channel, it avoids using that channel for 30 minutes.
Chapter 6 Configuring Radio Settings Configuring Radio Channel Settings If radar is detected on a manually configured DFS channel, the channel will be changed automatically and will not return to the configured channel. Prior to transmitting on any channels listed in Table 6-4, the access point radio performs a Channel Availability Check (CAC). The CAC is a 60 second scan for the presence of radar signals on the channel.
Chapter 6 Configuring Radio Settings Configuring Radio Channel Settings Confirming that DFS is Enabled Use the show controllers dot11radio1 command to confirm that DFS is enabled. The command also includes indications that uniform spreading is required and channels that are in the non-occupancy period due to radar detection. This example shows a line from the output for the show controller command for a channel on which DFS is enabled.
Chapter 6 Configuring Radio Settings Configuring Radio Channel Settings Step 3 Command Purpose channel {number | dfs |band <1 4>} For number, enter one of the following channels: 36, 40, 44, 48, 149, 153, 157, 161, 5180, 5200, 5220, 5240, 5745, 5765, 5785, or 5805. Enter dfs and one of the following frequency bands to use dynamic frequency selection on the selected channel: 1—5.150 to 5.250 GHz 2—5.250 to 5.350 Ghz 3—5.470 to 5.725 GHz 4—5.725 to 5.
Chapter 6 Configuring Radio Settings Configuring Location-Based Services ap(config-if)# no dfs band 1 2 block This example shows how to unblock all frequencies for DFS: ap(config-if)# no dfs band block Setting the 802.11n Guard Interval The 802.11n guard interval is the period in nanoseconds between packets. Two settings are available: short (400ns) and long (800ns). Beginning in privileged EXEC mode, follow these steps to set the 802.11n guard interval.
Chapter 6 Configuring Radio Settings Configuring Location-Based Services on the location information that it receives from the LBS-enabled access points. If your network has a WLSE, the location server can query the WLSE for the status of LBS-enabled access points. Figure 6-2 shows the basic parts of an LBS-enabled network.
Chapter 6 Configuring Radio Settings Enabling and Disabling World Mode Step 5 Command Purpose packet-type {short | extended} (Optional) Select the packet type that the access point accepts from the LBS tag. • short—The access point accepts short location packets from the tag. In short packets, the LBS information is missing from the tag packet frame body and the packet indicates the tag transmit channel. • extended—This is the default setting.
Chapter 6 Configuring Radio Settings Disabling and Enabling Short Radio Preambles Beginning in privileged EXEC mode, follow these steps to enable world mode: Command Purpose Step 1 configure terminal Enter global configuration mode. Step 2 interface dot11radio {0 | 1} Enter interface configuration mode for the radio interface. Step 3 world-mode dot11d country_code code { both | indoor | outdoor } world-mode roaming | legacy Enable world mode. • Enter the dot11d option to enable 802.
Chapter 6 Configuring Radio Settings Configuring Transmit and Receive Antennas You cannot configure short or long radio preambles on the 5-GHz radio. Beginning in privileged EXEC mode, follow these steps to disable short radio preambles: Command Purpose Step 1 configure terminal Enter global configuration mode. Step 2 interface dot11radio { 0 } Enter interface configuration mode for the 2.4-GHz radio interface. Step 3 no preamble-short Disable short preambles and enable long preambles.
Chapter 6 Configuring Radio Settings Enabling and Disabling Gratuitous Probe Response Step 3 Command Purpose gain dB Specifies the resultant gain of the antenna attached to the device. Enter a value from –128 to 128 dB. If necessary, you can use a decimal in the value, such as 1.5. Note Step 4 This setting does not affect the behavior of the wireless device; it only informs the WLSE on your network of the device antenna gain.
Chapter 6 Configuring Radio Settings Disabling and Enabling Aironet Extensions Command Purpose Step 6 end Return to privileged EXEC mode. Step 7 copy running-config startup-config (Optional) Save your entries in the configuration file. The optional parameters can be configured independently or combined when you do not want to use the defaults, as shown in the following examples: (config-if)# probe-response gratuitous period 30 (config-if)# probe-response gratuitous speed 12.
Chapter 6 Configuring Radio Settings Configuring the Ethernet Encapsulation Transformation Method Command Purpose Step 3 no dot11 extension aironet Disable Aironet extensions. Step 4 end Return to privileged EXEC mode. Step 5 copy running-config startup-config (Optional) Save your entries in the configuration file. Use the dot11 extension aironet command to enable Aironet extensions if they are disabled.
Chapter 6 Configuring Radio Settings Enabling and Disabling Public Secure Packet Forwarding The performance cost of reliable multicast delivery—duplication of each multicast packet sent to each workgroup bridge—limits the number of infrastructure devices, including workgroup bridges, that can associate to the wireless device.
Chapter 6 Configuring Radio Settings Enabling and Disabling Public Secure Packet Forwarding To enable and disable PSPF using CLI commands on the wireless device, you use bridge groups. You can find a detailed explanation of bridge groups and instructions for implementing them in this document: • Cisco IOS Bridging and IBM Networking Configuration Guide, Release 12.2. Click this link to browse to the Configuring Transparent Bridging chapter: http://www.cisco.
Chapter 6 Configuring Radio Settings Configuring the Beacon Period and the DTIM For detailed information on protected ports and port blocking, refer to the “Configuring Port-Based Traffic Control” chapter in the Catalyst 3550 Multilayer Switch Software Configuration Guide, 12.1(12c)EA1. Click this link to browse to that guide: http://www.cisco.com/en/US/products/hw/switches/ps646/products_configuration_guide_book09186a 008011591c.
Chapter 6 Configuring Radio Settings Configuring the Maximum Data Retries Command Purpose Step 1 configure terminal Enter global configuration mode. Step 2 interface dot11radio {0 | 1} Enter interface configuration mode for the radio interface. The 2.4-GHz radio and the 2.4-GHz 802.11n radio is 0. The 5-GHz radio and the 5-GHz 802.11n radio is 1. Step 3 rts threshold value Set the RTS threshold. Enter an RTS threshold from 0 to 2347. Step 4 rts retries value Set the maximum RTS retries.
Chapter 6 Configuring Radio Settings Configuring the Fragmentation Threshold Configuring the Fragmentation Threshold The fragmentation threshold determines the size at which packets are fragmented (sent as several pieces instead of as one block). Use a low setting in areas where communication is poor or where there is a great deal of radio interference. The default setting is 2338 bytes.
Chapter 6 Configuring Radio Settings Performing a Carrier Busy Test Performing a Carrier Busy Test You can perform a carrier busy test to check the radio activity on wireless channels. During the carrier busy test, the wireless device drops all associations with wireless networking devices for 4 seconds while it conducts the carrier test and then displays the test results.
Chapter 6 Configuring Radio Settings Viewing VoWLAN Metrics Figure 6-3 Packet Handling Configuration You can also configure VoIP packet handling using the CLI. For a list of Cisco IOS commands for configuring VoIP packet handling using the CLI, consult the Cisco IOS Command Reference for Cisco Aironet Access Points and Bridges. Viewing VoWLAN Metrics VoWLAN metrics provide you with diagnostic information pertinent to VoIP performance.
Chapter 6 Configuring Radio Settings Viewing VoWLAN Metrics Figure 6-4 Access Point Metrics Summary The information presented in the group metrics summary is an aggregate of metrics from all the voice clients of individual access points that belong to the group.
Chapter 6 Configuring Radio Settings Viewing VoWLAN Metrics Figure 6-5 % of Packets > 40 ms Queuing Delay Figure 6-6 is an example of a graph showing voice streaming in progress.
Chapter 6 Configuring Radio Settings Viewing VoWLAN Metrics Viewing Wireless Client Reports In addition to viewing voice reports from an access point perspective, you can view them from a client perspective. For every client, the WLSE displays the access points the client associated with and the WoLAN metrics that were recorded. To view voice reports for wireless clients, follow these steps: Step 1 Log in to a WLSE. Step 2 Click the Reports tab. Step 3 Click Wireless Clients.
Chapter 6 Configuring Radio Settings Viewing VoWLAN Metrics Viewing Voice Fault Summary The Faults > Voice Summary page in WLSE displays a summary of the faults detected with the following voice fault types: • Excessive Voice Bandwidth (CAC) • Degraded Voice QOS (TSM) To view a summary of voice faults, follow these steps: Step 1 Log in to a WLSE. Step 2 Click the Faults tab. Step 3 Click Voice Summary.
Chapter 6 Configuring Radio Settings Viewing VoWLAN Metrics Step 1 Log in to a WLSE. Step 2 Click the Faults tab. Step 3 Click Voice QoS Settings. Step 4 To change a setting, choose a new value from the corresponding drop-down list. For example, to set the QoS indicator for Upstream Delay parameter so that the green color is shown when 90% or more of packets have a delays of less than 20 ms, choose 90 from the parameter drop-down list in the Green column, as shown in the example in Figure 6-9.
Chapter 6 Configuring Radio Settings Configuring ClientLink Figure 6-10 Fault Settings Configuring ClientLink Cisco ClientLink (referred to as Beam Forming) is an intelligent beamforming technology that directs the RF signal to 802.11a/g devices to improve performance by 65%, improve coverage by up to 27% percent, and reduce coverage holes. Cisco ClientLink helps extend the useful life of existing 802.11a/g devices in mixed-client networks. It is beneficial for organizations that move to 802.
Chapter 6 Configuring Radio Settings Debugging Radio Functions [no] debug dot11 {events | packets | forwarding | mgmt | network-map | syslog | virtual-interface} The syntax is described in Table 6-5.
Chapter 6 Configuring Radio Settings Debugging Radio Functions Cisco IOS Software Configuration Guide for Cisco Aironet Access Points 6-44 OL-30644-01
CH A P T E R 7 Configuring Multiple SSIDs This chapter describes how to configure and manage multiple Service Set Identifiers (SSIDs) on the access point.
Chapter 7 Configuring Multiple SSIDs Understanding Multiple SSIDs Understanding Multiple SSIDs The SSID is a unique identifier that wireless networking devices use to establish and maintain wireless connectivity. Multiple access points on a network or sub-network can use the same SSIDs. SSIDs are case sensitive and can contain up to 32 alphanumeric characters. Do not include spaces in your SSIDs.
Chapter 7 Configuring Multiple SSIDs Understanding Multiple SSIDs Table 7-1 SSID Configuration Methods Supported in Cisco IOS Releases (continued) Cisco IOS Release Supported SSID Configuration Method 12.3(4)JA and 12.3(7)JA Both interface-level and global; all SSIDs saved in global mode post-12.3(4)JA Global only Cisco IOS Release 12.3(10b)JA supports configuration of SSID parameters at the interface level on the CLI, but the SSIDs are stored in global mode.
Chapter 7 Configuring Multiple SSIDs Configuring Multiple SSIDs Configuring Multiple SSIDs These sections contain configuration information for multiple SSIDs: Note • Default SSID Configuration, page 7-4 • Creating an SSID Globally, page 7-4 • Using a RADIUS Server to Restrict SSIDs, page 7-7 In Cisco IOS Release 12.3(4)JA and later, you configure SSIDs globally and then apply them to a specific radio interface.
Chapter 7 Configuring Multiple SSIDs Configuring Multiple SSIDs Command Purpose Step 3 authentication client username username password password (Optional) Set an authentication username and password that the access point uses to authenticate to the network when in repeater mode. Set the username and password on the SSID that the repeater access point uses to associate to a root access point, or with another repeater.
Chapter 7 Configuring Multiple SSIDs Configuring Multiple SSIDs Note You use the ssid command authentication options to configure an authentication type for each SSID. See Chapter 9, “Configuring an Access Point as a Local Authenticator,” for instructions on configuring authentication types. Note When you enable guest SSID mode for the 802.11g radio it applies to the 802.11b radio as well since 802.11b and 802.11g operate in the same 2.4Ghz band.
Chapter 7 Configuring Multiple SSIDs Configuring Multiple SSIDs ssid buffalo vlan 7 authentication open However, this sample output from a show dot11 associations privileged EXEC command shows the spaces in the SSIDs: SSID [buffalo] : SSID [buffalo ] : SSID [buffalo ] : Note This command shows only the first 15 characters of the SSID. Use the show dot11 associations client command to see SSIDs having more than 15 characters.
Chapter 7 Configuring Multiple SSIDs Configuring Multiple Basic SSIDs Configuring Multiple Basic SSIDs Access point 802.11a, 802.11g, 802.11n radios support up to 8 basic SSIDs (BSSIDs), which are similar to MAC addresses. You use multiple BSSIDs to assign a unique DTIM setting for each SSID and to broadcast more than one SSID in beacons.
Chapter 7 Configuring Multiple SSIDs Configuring Multiple Basic SSIDs Figure 7-1 Global SSID Manager Page Step 2 Enter the SSID name in the SSID field. Step 3 Use the VLAN drop-down list to select the VLAN to which the SSID is assigned. Step 4 Select the radio interfaces on which the SSID is enabled. The SSID remains inactive until you enable it for a radio interface. Step 5 Enter a Network ID for the SSID in the Network ID field.
Chapter 7 Configuring Multiple SSIDs Configuring Multiple Basic SSIDs Step 7 (Optional) In the Multiple BSSID Beacon Settings section, select the Set SSID as Guest Mode check box to include the SSID in beacons. Step 8 (Optional) To increase the battery life for power-save clients that use this SSID, select the Set Data Beacon Rate (DTIM) check box and enter a beacon rate for the SSID.
Chapter 7 Configuring Multiple SSIDs Assigning IP Redirection for an SSID Assigning IP Redirection for an SSID When you configure IP redirection for an SSID, the access point redirects all packets sent from client devices associated to that SSID to a specific IP address. IP redirection is used mainly on wireless LANs serving handheld devices that use a central software application and are statically configured to communicate with a specific IP address.
Chapter 7 Configuring Multiple SSIDs Assigning IP Redirection for an SSID Guidelines for Using IP Redirection Keep these guidelines in mind when using IP redirection: • The access point does not redirect broadcast, unicast, or multicast BOOTP/DHCP packets received from client devices. • Existing ACL filters for incoming packets take precedence over IP redirection.
Chapter 7 Configuring Multiple SSIDs Including an SSID in an SSIDL IE This example shows how to configure IP redirection only for packets sent to the specific TCP and UDP ports specified in an ACL applied to the BVI1 interface. When the access point receives packets from client devices associated using the SSID robin, it redirects packets sent to the specified ports and discards all other packets: AP# configure terminal AP(config)# interface bvi1 AP(config-if-ssid)# ip redirection host 10.91.104.
Chapter 7 Configuring Multiple SSIDs NAC Support for MBSSID NAC Support for MBSSID Networks must be protected from security threats, such as viruses, worms, and spyware. These security threats disrupt business, causing downtime and continual patching. Endpoint visibility and control is needed to help ensure that all wired and wireless devices attempting to access a network meet corporate security policies. Infected or vulnerable endpoints need to be automatically detected, isolated, and cleaned.
Chapter 7 Configuring Multiple SSIDs NAC Support for MBSSID When a client associates and the RADIUS server determines that it is unhealthy, the server returns one of the quarantine NAC VLANs in its RADIUS authentication response for dot1x authentication. This VLAN should be one of the configured backup VLANs under the client SSID. If the VLAN is not one of the configured backup VLANs, the client is disassociated.
Chapter 7 Configuring Multiple SSIDs NAC Support for MBSSID Configuring NAC for MBSSID Note This feature supports only Layer 2 mobility within VLANs. Layer 3 mobility using network ID is not supported in this feature. Note Before you attempt to enable NAC for MBSSID on your access points, you should first have NAC working properly. Figure 3 shows a typical network setup.
Chapter 7 Configuring Multiple SSIDs NAC Support for MBSSID authentication open authentication network-eap eap_methods ! dot11 ssid mktg vlan mktg-normal backup mktg-infected1, mktg-infected2, authentication open authentication network-eap eap_methods ! interface Dot11Radio0 ! encryption vlan engg-normal key 1 size 40bit 7 482CC74122FD encryption vlan engg-normal mode ciphers wep40 ! encryption vlan mktg-normal key 1 size 40bit 7 9C3A6F2CBFBC encryption vlan mktg-normal mode ciphers wep40 ! s
Chapter 7 Configuring Multiple SSIDs NAC Support for MBSSID Cisco IOS Software Configuration Guide for Cisco Aironet Access Points 7-18 OL-30644-01
CH A P T E R 8 Configuring Spanning Tree Protocol This chapter descibes how to configure Spanning Tree Protocol (STP) on your access point/bridge. This chapter contains the following sections: • Understanding Spanning Tree Protocol, page 8-2 • Configuring STP Features, page 8-8 • Displaying Spanning-Tree Status, page 8-14 Note For complete syntax and usage information for the commands used in this chapter, refer to the Cisco IOS Command Reference for Access Points and Bridges for this release.
Chapter 8 Configuring Spanning Tree Protocol Understanding Spanning Tree Protocol Understanding Spanning Tree Protocol This section describes how spanning-tree features work.
Chapter 8 Configuring Spanning Tree Protocol Understanding Spanning Tree Protocol The access point/bridge maintains a separate spanning-tree instance for each active VLAN configured on it. A bridge ID, consisting of the bridge priority and the access point/bridge MAC address, is associated with each instance. For each VLAN, the access point/bridge with the lowest access point/bridge ID becomes the spanning-tree root for that VLAN.
Chapter 8 Configuring Spanning Tree Protocol Understanding Spanning Tree Protocol When a access point/bridge receives a configuration BPDU that contains superior information (lower access point/bridge ID, lower path cost, and so forth), it stores the information for that port. If this BPDU is received on the root port of the access point/bridge, the access point/bridge also forwards it with an updated message to all attached LANs for which it is the designated access point/bridge.
Chapter 8 Configuring Spanning Tree Protocol Understanding Spanning Tree Protocol BPDUs contain information about the sending access point/bridge and its ports, including access point/bridge and MAC addresses, access point/bridge priority, port priority, and path cost. STP uses this information to elect the spanning-tree root and root port for the network and the root port and designated port for each LAN segment.
Chapter 8 Configuring Spanning Tree Protocol Understanding Spanning Tree Protocol Spanning-Tree Interface States Propagation delays can occur when protocol information passes through a wireless LAN. As a result, topology changes can take place at different times and at different places in the network. When an interface transitions directly from nonparticipation in the spanning-tree topology to the forwarding state, it can create temporary data loops.
Chapter 8 Configuring Spanning Tree Protocol Understanding Spanning Tree Protocol When the spanning-tree algorithm places a Layer 2 interface in the forwarding state, this process occurs: 1. The interface is in the listening state while spanning tree waits for protocol information to transition the interface to the blocking state. 2. While spanning tree waits the forward-delay timer to expire, it moves the interface to the learning state and resets the forward-delay timer. 3.
Chapter 8 Configuring Spanning Tree Protocol Configuring STP Features • Receives BPDUs Forwarding State An interface in the forwarding state forwards frames. The interface enters the forwarding state from the learning state. An interface in the forwarding state performs as follows: • Receives and forwards frames received on the port • Learns addresses • Receives BPDUs Disabled State An interface in the disabled state does not participate in frame forwarding or in the spanning tree.
Chapter 8 Configuring Spanning Tree Protocol Configuring STP Features Table 8-2 Default STP Values When STP is Enabled (continued) Setting Default Value Bridge forward delay 15 Ethernet port path cost 19 Ethernet port priority 128 Radio port path cost 33 Radio port priority 128 The radio and Ethernet interfaces and the native VLAN on the access point/bridge are assigned to bridge group 1 by default.
Chapter 8 Configuring Spanning Tree Protocol Configuring STP Features STP Configuration Examples These configuration examples show how to enable STP on root and non-root access point/bridges with and without VLANs: • Root Bridge Without VLANs, page 8-10 • Non-Root Bridge Without VLANs, page 8-11 • Root Bridge with VLANs, page 8-11 • Non-Root Bridge with VLANs, page 8-13 Root Bridge Without VLANs This example shows the configuration of a root bridge with no VLANs configured and with STP enabled: h
Chapter 8 Configuring Spanning Tree Protocol Configuring STP Features Non-Root Bridge Without VLANs This example shows the configuration of a non-root bridge with no VLANs configured with STP enabled: hostname client-bridge-north ip subnet-zero ! bridge irb ! interface Dot11Radio0 no ip address no ip route-cache ! ssid tsunami authentication open guest-mode ! speed basic-6.0 9.0 12.0 18.0 24.0 36.0 48.0 54.
Chapter 8 Configuring Spanning Tree Protocol Configuring STP Features ! interface Dot11Radio0 no ip address no ip route-cache ! ssid vlan1 vlan 1 infrastructure-ssid authentication open ! speed basic-6.0 9.0 12.0 18.0 24.0 36.0 48.0 54.0 rts threshold 2312 station-role root no cdp enable infrastructure-client ! interface Dot11Radio0.1 encapsulation dot1Q 1 native no ip route-cache no cdp enable bridge-group 1 ! interface Dot11Radio0.
Chapter 8 Configuring Spanning Tree Protocol Configuring STP Features bridge 2 priority 10000 bridge 3 protocol ieee bridge 3 priority 3100 ! line con 0 exec-timeout 0 0 line vty 5 15 ! end Non-Root Bridge with VLANs This example shows the configuration of a non-root bridge with VLANs configured with STP enabled: hostname client-bridge-remote ! ip subnet-zero ! ip ssh time-out 120 ip ssh authentication-retries 3 ! bridge irb ! interface Dot11Radio0 no ip address no ip route-cache ! ssid vlan1 vlan 1 auth
Chapter 8 Configuring Spanning Tree Protocol Displaying Spanning-Tree Status encapsulation dot1Q 1 native no ip route-cache bridge-group 1 ! interface FastEthernet0.2 encapsulation dot1Q 2 no ip route-cache bridge-group 2 ! interface FastEthernet0.3 encapsulation dot1Q 3 no ip route-cache bridge-group 3 bridge-group 3 path-cost 400 ! interface BVI1 ip address 1.4.64.24 255.255.0.
CH A P T E R 9 Configuring an Access Point as a Local Authenticator This chapter describes how to configure the access point as a local authenticator to serve as a stand-alone authenticator for a small wireless LAN or to provide backup authentication service. As a local authenticator, the access point performs LEAP, EAP-FAST, and MAC-based authentication for up to 50 client devices.
Chapter 9 Configuring an Access Point as a Local Authenticator Understanding Local Authentication Understanding Local Authentication Many small wireless LANs that could be made more secure with 802.1x authentication do not have access to a RADIUS server. On many wireless LANs that use 802.1x authentication, access points rely on RADIUS servers housed in a distant location to authenticate client devices, and the authentication traffic must cross a WAN link.
Chapter 9 Configuring an Access Point as a Local Authenticator Configuring a Local Authenticator Guidelines for Local Authenticators Follow these guidelines when configuring an access point as a local authenticator: • Use an access point that does not serve a large number of client devices. When the access point acts as an authenticator, performance might degrade for associated client devices. • Secure the access point physically to protect its configuration.
Chapter 9 Configuring an Access Point as a Local Authenticator Configuring a Local Authenticator Command Purpose Step 3 radius-server local Enable the access point as a local authenticator and enter configuration mode for the authenticator. Step 4 nas ip-address key shared-key Add an access point to the list of units that use the local authenticator. Enter the access point’s IP address and the shared key used to authenticate communication between the local authenticator and other access points.
Chapter 9 Configuring an Access Point as a Local Authenticator Configuring a Local Authenticator Command Step 11 Purpose user username Enter the LEAP and EAP-FAST users allowed to authenticate { password | nthash } password using the local authenticator. You must enter a username and [ group group-name ] password for each user.
Chapter 9 Configuring an Access Point as a Local Authenticator Configuring a Local Authenticator AP(config-radsrv)# AP(config-radsrv)# AP(config-radsrv)# AP(config-radsrv)# AP(config-radsrv)# user user user user end 00095125d02b password 00095125d02b group cashiers 00079431f04a password 00079431f04a group cashiers carl password 272165 group managers vic password lid178 group managers Configuring Other Access Points to Use the Local Authenticator You add the local authenticator to the list of servers o
Chapter 9 Configuring an Access Point as a Local Authenticator Configuring a Local Authenticator Each time the access point tries to use the main servers while they are down, the client device trying to authenticate might report an authentication timeout. The client device retries and succeeds when the main servers time out and the access point tries the local authenticator. You can extend the timeout value on Cisco client devices to accommodate expected server timeouts.
Chapter 9 Configuring an Access Point as a Local Authenticator Configuring a Local Authenticator In this example, the local authenticator generates a PAC for the username joe, password-protects the file with the password bingo, sets the PAC to expire in 10 days, and writes the PAC file to the TFTP server at 10.0.0.5: AP# radius local-server pac-generate tftp://10.0.0.5 joe password bingo expiry 10 Configuring an Authority ID All EAP-FAST authenticators are identified by an authority identity (AID).
Chapter 9 Configuring an Access Point as a Local Authenticator Configuring a Local Authenticator Limiting the Local Authenticator to One Authentication Type By default, a local authenticator access point performs LEAP, EAP-FAST, and MAC-based authentication for client devices. However, you can limit the local authenticator to perform only one or two authentication types.
Chapter 9 Configuring an Access Point as a Local Authenticator Configuring a Local Authenticator The second section lists stats for each access point (NAS) authorized to use the local authenticator.
CH A P T E R 10 Configuring Cipher Suites and WEP This chapter describes how to configure the cipher suites required to use Wi-Fi Protected Access (WPA) and Cisco Centralized Key Management (CCKM) authenticated key management, Wired Equivalent Privacy (WEP), WEP features including AES, Message Integrity Check (MIC), Temporal Key Integrity Protocol (TKIP), and broadcast key rotation.
Chapter 10 Configuring Cipher Suites and WEP Understanding Cipher Suites and WEP Understanding Cipher Suites and WEP This section describes how WEP and cipher suites protect traffic on your wireless LAN. Just as anyone within range of a radio station can tune to the station's frequency and listen to the signal, any wireless networking device within range of an access point can receive the access point's radio transmissions.
Chapter 10 Configuring Cipher Suites and WEP Configuring Cipher Suites and WEP • TKIP (Temporal Key Integrity Protocol)—TKIP is a suite of algorithms surrounding WEP that is designed to achieve the best possible security on legacy hardware built to run WEP.
Chapter 10 Configuring Cipher Suites and WEP Configuring Cipher Suites and WEP Beginning in privileged EXEC mode, follow these steps to create a WEP key and set the key properties: Command Purpose Step 1 configure terminal Enter global configuration mode. Step 2 interface dot11radio { 0 | 1 } Enter interface configuration mode for the radio interface. The 2.4-GHz radio and the 2.4-GHz 802.11n radio is 0. The 5-GHz radio and the 5-GHz 802.11n radio is 1.
Chapter 10 Configuring Cipher Suites and WEP Configuring Cipher Suites and WEP WEP Key Restrictions Table 10-1 lists WEP key restrictions based on your security configuration.
Chapter 10 Configuring Cipher Suites and WEP Configuring Cipher Suites and WEP Note If you enable MIC but you use static WEP (you do not enable any type of EAP authentication), both the access point and any devices with which it communicates must use the same WEP key for transmitting data.
Chapter 10 Configuring Cipher Suites and WEP Configuring Cipher Suites and WEP Step 3 Command Purpose encryption [vlan vlan-id] mode ciphers {[aes | aes-ccm | ckip | tkip]} {[wep128 | wep40]} Enable a cipher suite containing the WEP protection you need. Table 10-3 lists guidelines for selecting a cipher suite that matches the type of authenticated key management you configure. • (Optional) Select the VLAN for which you want to enable WEP and WEP features. • Set the cipher options and WEP level.
Chapter 10 Configuring Cipher Suites and WEP Configuring Cipher Suites and WEP Table 10-3 Cipher Suites Compatible with WPA and CCKM Authenticated Key Management Types CCKM WPA Compatible Cipher Suites • encryption mode ciphers wep128 • encryption mode ciphers wep40 • encryption mode ciphers ckip • encryption mode ciphers cmic • encryption mode ciphers ckip-cmic • encryption mode ciphers tkip • encryption mode aes • encryption mode ciphers tkip • encryption mode ciphers tkip wep128
Chapter 10 Configuring Cipher Suites and WEP Configuring Cipher Suites and WEP Beginning in privileged EXEC mode, follow these steps to enable broadcast key rotation: Command Purpose Step 1 configure terminal Enter global configuration mode. Step 2 interface dot11radio { 0 | 1 } Enter interface configuration mode for the radio interface. The 2.4-GHz radio and the 2.4-GHz 802.11n radio is 0. The 5-GHz radio and the 5-GHz 802.11n radio is 1.
Chapter 10 Configuring Cipher Suites and WEP Configuring Cipher Suites and WEP Cisco IOS Software Configuration Guide for Cisco Aironet Access Points 10-10 OL-30644-01
CH A P T E R 11 Configuring Authentication Types This chapter describes how to configure authentication types on the access point.
Chapter 11 Configuring Authentication Types Understanding Authentication Types Understanding Authentication Types This section describes the authentication types that you can configure on the access point. The authentication types are tied to the SSIDs that you configure for the access point. If you want to serve different types of client devices with the same access point, you can configure multiple SSIDs. See Chapter 7, “Configuring Multiple SSIDs.
Chapter 11 Configuring Authentication Types Understanding Authentication Types Figure 11-1 Sequence for Open Authentication Access point or bridge with WEP key = 123 Client device with WEP key = 321 1. Authentication request 2. Authentication response 3. Association request 4. Association response 5. WEP data frame to wired network 54583 6. Key mismatch, frame discarded Shared Key Authentication to the Access Point Cisco provides shared key authentication to comply with the IEEE 802.11b standard.
Chapter 11 Configuring Authentication Types Understanding Authentication Types EAP Authentication to the Network This authentication type provides the highest level of security for your wireless network. By using the Extensible Authentication Protocol (EAP) to interact with an EAP-compatible RADIUS server, the access point helps a wireless client device and the RADIUS server to perform mutual authentication and derive a dynamic unicast WEP key.
Chapter 11 Configuring Authentication Types Understanding Authentication Types There is more than one type of EAP authentication, but the access point behaves the same way for each type: it relays authentication messages from the wireless client device to the RADIUS server and from the RADIUS server to the wireless client device. See the “Assigning Authentication Types to an SSID” section on page 11-10 for instructions on setting up EAP on the access point.
Chapter 11 Configuring Authentication Types Understanding Authentication Types Figure 11-4 Sequence for MAC-Based Authentication Wired LAN Client device Access point or bridge Server 1. Authentication request 2. Authentication success 65584 3. Association request 4. Association response (block traffic from client) 5. Authentication request 6. Success 7.
Chapter 11 Configuring Authentication Types Understanding Authentication Types Figure 11-5 shows the reassociation process using CCKM.
Chapter 11 Configuring Authentication Types Understanding Authentication Types Figure 11-6 shows the WPA key management process. Figure 11-6 WPA Key Management Process Wired LAN Client device Access point Authentication server Client and server authenticate to each other, generating an EAP master key Server uses the EAP master key to generate a pairwise master key (PMK) to protect communication between the client and the access point. (However, if the client is using 802.
Chapter 11 Configuring Authentication Types Understanding Authentication Types To support the security combinations in Table 11-1, your Cisco Aironet access points and Cisco Aironet client devices must run the following software and firmware versions: • Cisco IOS Release 12.2(13)JA or later on access points • Install Wizard Version 1.2 for 340, 350, and CB20A client devices, which includes these components: – PC, LM, and PCI card driver Version 8.4 – Mini PCI and PC-cardbus card driver Version 3.
Chapter 11 Configuring Authentication Types Configuring Authentication Types Note When you configure TKIP-only cipher encryption (not TKIP + WEP 128 or TKIP + WEP 40) on any radio interface or VLAN, every SSID on that radio or VLAN must be set to use WPA or CCKM key management. If you configure TKIP on a radio or VLAN but you do not configure key management on the SSIDs, client authentication fails on the SSIDs.
Chapter 11 Configuring Authentication Types Configuring Authentication Types Command Step 3 Purpose authentication open (Optional) Set the authentication type to open for this SSID. [mac-address list-name [alternate]] Open authentication allows any device to authenticate and then [[optional] eap list-name] attempt to communicate with the access point. • (Optional) Set the SSID’s authentication type to open with MAC address authentication.
Chapter 11 Configuring Authentication Types Configuring Authentication Types Step 5 Command Purpose authentication network-eap list-name [mac-address list-name] (Optional) Set the authentication type for the SSID to Network-EAP. Using the Extensible Authentication Protocol (EAP) to interact with an EAP-compatible RADIUS server, the access point helps a wireless client device and the RADIUS server to perform mutual authentication and derive a dynamic unicast WEP key.
Chapter 11 Configuring Authentication Types Configuring Authentication Types This example sets the authentication type for the SSID batman to Network-EAP with CCKM authenticated key management. Client devices using the batman SSID authenticate using the adam server list. After they are authenticated, CCKM-enabled clients can perform fast reassociations using CCKM.
Chapter 11 Configuring Authentication Types Configuring Authentication Types Configuring Additional WPA Settings Use two optional settings to configure a preshared key on the access point and adjust the frequency of group key updates. Setting a preshared Key To support WPA on a wireless LAN where 802.1X-based authentication is not available, you must configure a preshared key on the access point. You can enter the preshared key as ASCII or hexadecimal characters.
Chapter 11 Configuring Authentication Types Configuring Authentication Types Command Purpose Step 7 broadcast-key [ vlan vlan-id ] { change seconds } [ membership-termination ] [ capability-change ] Use the broadcast key rotation command to configure additional updates of the WPA group key. Step 8 copy running-config startup-config (Optional) Save your entries in the configuration file.
Chapter 11 Configuring Authentication Types Configuring Authentication Types This example shows how to enable MAC authentication caching with a one-hour timeout: ap# configure terminal ap(config)# dot11 aaa mac-authen filter-cache timeout 3600 ap(config)# end Use the no form of the dot11 aaa mac-authen filter-cache command to disable MAC authentication caching.
Chapter 11 Configuring Authentication Types Configuring Authentication Types Step 5 Command Purpose dot1x reauth-period { seconds | server } Enter the interval in seconds that the access point waits before forcing an authenticated client to reauthenticate. Enter the server keyword to configure the access point to use the reauthentication period specified by the authentication server. If you use this option, configure your authentication server with RADIUS attribute 27, Session-Timeout.
Chapter 11 Configuring Authentication Types Configuring Authentication Types Creating an EAP Method Profile Beginning in privileged exec mode, follow these steps to define a new EAP profile: Command Purpose Step 1 configure terminal Enter global configuration mode. Step 2 eap profile profile name Enter a name for the profile Step 3 description (Optional)—Enter a description for the EAP profile Step 4 method fast Enter an allowed EAP method or methods.
Chapter 11 Configuring Authentication Types Matching Access Point and Client Device Authentication Types Applying an EAP Profile to an Uplink SSID This operation typically applies to repeater access points. Beginning in the privileged exec mode, follow these steps to apply an EAP profile to the uplink SSID. Command Purpose Step 1 configure terminal Enter the global configuration mode. Step 2 interface dot11radio {0 | 1} Enter interface configuration mode for the radio interface. The 2.
Chapter 11 Configuring Authentication Types Matching Access Point and Client Device Authentication Types Table 11-2 Client and Access Point Security Settings Security Feature Client Setting Access Point Setting Static WEP with open authentication Create a WEP key and enable Use Static WEP Keys and Open Authentication Set up and enable WEP and enable Open Authentication for the SSID Static WEP with shared key Create a WEP key and enable Use authentication Static WEP Keys and Shared Key Authenticat
Chapter 11 Configuring Authentication Types Matching Access Point and Client Device Authentication Types Table 11-2 Client and Access Point Security Settings (continued) Security Feature Client Setting Access Point Setting 802.1X authentication and CCKM Enable LEAP Select a cipher suite and enable Network-EAP and CCKM for the SSID Note 802.1X authentication and WPA Enable any 802.
Chapter 11 Configuring Authentication Types Guest Access Management Table 11-2 Client and Access Point Security Settings (continued) Security Feature Client Setting Access Point Setting If using ACU to configure card Create a WEP key, enable Host Based EAP, and enable Use Static WEP Keys in ACU and select Enable network access control using IEEE 802.
Chapter 11 Configuring Authentication Types Guest Access Management Guest access is allowed through these methods: • Web Authentication (secured) • Web Pass-through Web Authentication (secured) Web authentication is a Layer 3 security feature that enables the Autonomous AP to block IP traffic (except DHCP & DNS-related packets) until the guest provides a valid username and password. In web authentication, a separate username and password must be defined for each guest.
Chapter 11 Configuring Authentication Types Guest Access Management Beginning in privileged EXEC mode, use these commands to enable Web Pass-through: – ap(config)# ip admission name Web_passthrough consent – ap(config)# interface dot11Radio 0 – ap(config-if)# ip admission Web_passthrough Note Web Authentication or Web Pass-through works in an interface only when there is no VLAN.
Chapter 11 Configuring Authentication Types Guest Access Management Guest access is allowed for a maximum of twent-four days and a minimum of five minutes. Beginning in privileged EXEC mode, use this command to delete a guest user: ap# clear dot11 guest-user Gues-1 Beginning in privileged EXEC mode, use this command to display guest users: ap# show dot11 guest-users Customized Guest Access page The guest access page can be customized to display a custom logo or other images.
Chapter 11 Configuring Authentication Types Guest Access Management – ap(config-ext-nacl)# permit tcp any host 40.40.5.10 eq 443 – ap(config-ext-nacl)# exit Note acl-in and acl-out are the names of the Access-list. These acl's allow you to download the imagefile from the machine,where it is stored and use it for the customisation of webpage. The default page displays only the username, password, OK page.
CH A P T E R 12 Configuring WDS, Fast Secure Roaming, Radio Management, and Wireless Intrusion Detection Services This chapter describes how to configure your access points for wireless domain services (WDS), fast, secure roaming of client devices, radio management, and wireless intrusion detection services (WIDS).
Chapter 12 Configuring WDS, Fast Secure Roaming, Radio Management, and Wireless Intrusion Detection Understanding WDS Understanding WDS When you configure Wireless Domain Services on your network, access points on your wireless LAN use the WDS device (either an access point, an Integrated Services Router, or a switch configured as the WDS device) to provide fast, secure roaming for client devices and to participate in radio management.
Chapter 12 Configuring WDS, Fast Secure Roaming, Radio Management, and Wireless Intrusion Detection Services Understanding Fast Secure Roaming Table 12-1 Participating Access Points Supported by WDS Devices (continued) Unit Configured as WDS Device Participating Access Points Supported Integrated Services Router (ISR) 100 (depending on ISR platform) WLSM-equipped switch 600 Role of Access Points Using the WDS Device The access points on your wireless LAN interact with the WDS device in these activ
Chapter 12 Configuring WDS, Fast Secure Roaming, Radio Management, and Wireless Intrusion Detection Understanding Fast Secure Roaming Figure 12-1 Client Authentication Using a RADIUS Server Wired LAN Access point or bridge Client device RADIUS Server 1. Authentication request 3. Username (relay to server) (relay to client) 4. Authentication challenge 5. Authentication response (relay to server) (relay to client) 6. Authentication success 7.
Chapter 12 Configuring WDS, Fast Secure Roaming, Radio Management, and Wireless Intrusion Detection Services Understanding Radio Management device. The WDS device forwards the client’s credentials to the new access point, and the new access point sends the reassociation response to the client. Only two packets pass between the client and the new access point, greatly shortening the reassociation time. The client also uses the reassociation response to generate the unicast key.
Chapter 12 Understanding Wireless Intrusion Detection Services Figure 12-3 Configuring WDS, Fast Secure Roaming, Radio Management, and Wireless Intrusion Detection Required Components for Layer 3 Mobility CiscoWorks Wireless LAN Solution Engine (WLSE) Catalyst 6500 Wireless Domain Services (WDS) on the Wireless LAN Solutions Module (WLSM) CiscoSecure ACS AAA Server 117993 Infrastructure access points (registered with WDS) Click this link to browse to the information pages for the Cisco Structured Wi
Chapter 12 Configuring WDS, Fast Secure Roaming, Radio Management, and Wireless Intrusion Detection Services Configuring WDS access points. The WLSE examines the BRIDGE MIB of each CDP-discovered switch to determine if they contain any of the target MAC addresses. If CDP finds any of the MAC addresses, WLSE suppresses the corresponding switch port number. • Excessive management frame detection—Excessive management frames indicate an attack on your wireless LAN.
Chapter 12 Configuring WDS, Fast Secure Roaming, Radio Management, and Wireless Intrusion Detection Configuring WDS • Configuring the Authentication Server to Support WDS, page 12-15 • Configuring WDS Only Mode, page 12-19 • Viewing WDS Information, page 12-20 • Using Debug Messages, page 12-21 Guidelines for WDS Follow these guidelines when configuring WDS: • A WDS access point that also serves client devices supports up to 30 participating access points, but a WDS access point with radios disa
Chapter 12 Configuring WDS, Fast Secure Roaming, Radio Management, and Wireless Intrusion Detection Services Configuring WDS Figure 12-4 shows the required configuration for each device that participates in WDS.
Chapter 12 Configuring WDS, Fast Secure Roaming, Radio Management, and Wireless Intrusion Detection Configuring WDS On the access point that you want to configure as your primary WDS access point, follow these steps to configure the access point as the main WDS candidate: Step 1 Browse to the Wireless Services Summary page. Figure 12-5 shows the Wireless Services Summary page. Figure 12-5 Wireless Services Summary Page Step 2 Click WDS to browse to the WDS/WNM Summary page.
Chapter 12 Configuring WDS, Fast Secure Roaming, Radio Management, and Wireless Intrusion Detection Services Configuring WDS Step 5 In the Wireless Domain Services Priority field, enter a priority number from 1 to 255 to set the priority of this WDS candidate. The WDS access point candidate with the highest number in the priority field becomes the acting WDS access point.
Chapter 12 Configuring WDS, Fast Secure Roaming, Radio Management, and Wireless Intrusion Detection Configuring WDS Figure 12-7 WDS Server Groups Page Step 10 Create a group of servers to be used for 802.1x authentication for the infrastructure devices (access points) that use the WDS access point. Enter a group name in the Server Group Name field. Step 11 Select the primary server from the Priority 1 drop-down list.
Chapter 12 Configuring WDS, Fast Secure Roaming, Radio Management, and Wireless Intrusion Detection Services Configuring WDS Step 14 Configure the list of servers to be used for 802.1x authentication for client devices. You can specify a separate list for clients using a certain type of authentication, such as EAP, LEAP, PEAP, or MAC-based, or specify a list for client devices using any type of authentication. Enter a group name for the server or servers in the Server Group Name field.
Chapter 12 Configuring WDS, Fast Secure Roaming, Radio Management, and Wireless Intrusion Detection Configuring WDS Configuring Access Points to use the WDS Device Follow these steps to configure an access point to authenticate through the WDS device and participate in WDS: Note To participate in WDS, infrastructure access points should run the same version of IOS as the one that WDS runs. Step 1 Browse to the Wireless Services Summary page.
Chapter 12 Configuring WDS, Fast Secure Roaming, Radio Management, and Wireless Intrusion Detection Services Configuring WDS The access points that you configure to interact with the WDS automatically perform these steps: • Discover and track the current WDS device and relay WDS advertisements to the wireless LAN. • Authenticate with the WDS device and establish a secure communication channel to the WDS device. • Register associated client devices with the WDS device.
Chapter 12 Configuring WDS, Fast Secure Roaming, Radio Management, and Wireless Intrusion Detection Configuring WDS Figure 12-9 Step 2 Network Configuration Page Click Add Entry under the AAA Clients table. The Add AAA Client page appears. Figure 12-10 shows the Add AAA Client page.
Chapter 12 Configuring WDS, Fast Secure Roaming, Radio Management, and Wireless Intrusion Detection Services Configuring WDS Figure 12-10 Add AAA Client Page Step 3 In the AAA Client Hostname field, enter the name of the WDS device. Step 4 In the AAA Client IP Address field, enter the IP address of the WDS device. Step 5 In the Key field, enter exactly the same password that is configured on the WDS device. Step 6 From the Authenticate Using drop-down list, select RADIUS (Cisco Aironet).
Chapter 12 Configuring WDS, Fast Secure Roaming, Radio Management, and Wireless Intrusion Detection Configuring WDS Step 9 Click User Setup to browse to the User Setup page. You must use the User Setup page to create entries for the access points that use the WDS device. Figure 12-11 shows the User Setup page. Figure 12-11 User Setup Page Step 10 Enter the name of the access point in the User field. Step 11 Click Add/Edit. Step 12 Scroll down to the User Setup box.
Chapter 12 Configuring WDS, Fast Secure Roaming, Radio Management, and Wireless Intrusion Detection Services Configuring WDS Step 13 Select CiscoSecure Database from the Password Authentication drop-down list. Step 14 In the Password and Confirm Password fields, enter exactly the same password that you entered on the access point on the Wireless Services AP page. Step 15 Click Submit. Step 16 Repeat Step 10 through Step 15 for each access point that uses the WDS device.
Chapter 12 Configuring WDS, Fast Secure Roaming, Radio Management, and Wireless Intrusion Detection Configuring WDS Viewing WDS Information On the web-browser interface, browse to the Wireless Services Summary page to view a summary of WDS status.
Chapter 12 Configuring WDS, Fast Secure Roaming, Radio Management, and Wireless Intrusion Detection Services Configuring Fast Secure Roaming Using Debug Messages In privileged exec mode, use these debug commands to control the display of debug messages for devices interacting with the WDS device: Command Description debug wlccp ap {mn | wds-discovery | state} Use this command to turn on display of debug messages related to client devices (mn), the WDS discovery process, and access point authentication
Chapter 12 Configuring WDS, Fast Secure Roaming, Radio Management, and Wireless Intrusion Detection Configuring Fast Secure Roaming Configuring Access Points to Support Fast Secure Roaming To support fast, secure roaming, the access points on your wireless LAN must be configured to participate in WDS and they must allow CCKM authenticated key management for at least one SSID. Follow these steps to configure CCKM for an SSID: Step 1 Browse to the Encryption Manager page on the access point GUI.
Chapter 12 Configuring WDS, Fast Secure Roaming, Radio Management, and Wireless Intrusion Detection Services Configuring Fast Secure Roaming Figure 12-15 Step 6 Global SSID Manager Page On the SSID that supports CCKM, select these settings: a. If your access point contains multiple radio interfaces, select the interfaces on which the SSID applies. b. Select Network EAP under Authentication Settings. When you enable CCKM, you must enable Network EAP as the authentication type.
Chapter 12 Configuring WDS, Fast Secure Roaming, Radio Management, and Wireless Intrusion Detection Configuring Fast Secure Roaming Step 7 c. Select Mandatory or Optional under Authenticated Key Management. If you select Mandatory, only clients that support CCKM can associate using the SSID. If you select Optional, both CCKM clients and clients that do not support CCKM can associate using the SSID. d. Check the CCKM check box. Click Apply.
Chapter 12 Configuring WDS, Fast Secure Roaming, Radio Management, and Wireless Intrusion Detection Services Configuring Management Frame Protection Step 4 Click the over-air or over-ds radio button. Step 5 Enter the reassociation time. The values range from 20 to 1200. Step 6 Click Apply. Beginning in privileged EXEC mode, perform these steps to configure SSH using the access point CLI: Command Purpose Step 1 configure terminal Enters the global configuration mode.
Chapter 12 Configuring WDS, Fast Secure Roaming, Radio Management, and Wireless Intrusion Detection Configuring Management Frame Protection Management Frame Protection operation requires a WDS and is available on 32 Mb platforms only (1130, 1140, 1240, 1250 series access points, and 1300 series access points in AP mode). MFP is configured at the WLSE, but you can configure MFP on an access point and WDS manually.
Chapter 12 Configuring WDS, Fast Secure Roaming, Radio Management, and Wireless Intrusion Detection Services Configuring Management Frame Protection rejected. If you attempt to change the key management with Client MFP configured as required and key management WPAv2, an error message displays and rejects your CLI command. When configured as optional, Client MFP is enabled if the SSID is capable of WPAv2, otherwise Client MFP is disabled.
Chapter 12 Configuring WDS, Fast Secure Roaming, Radio Management, and Wireless Intrusion Detection Configuring Management Frame Protection Command Description Step 5 end Return to the privileged EXEC mode. Step 6 copy running-config startup-config (Optional) Save your entries in the configuration file. Beginning in privileged EXEC mode, follow these steps to configure the WDS: Command Description Step 1 configure terminal Enter global configuration mode.
Chapter 12 Configuring WDS, Fast Secure Roaming, Radio Management, and Wireless Intrusion Detection Services Configuring Management Frame Protection This CLI command is used to enable 802.11w on the access point: ap(config-ssid)# 11w-pmf client required/optional This CLI command is used to configure the association time out and saquery retry time interval: ap(config-ssid)# 11w-pmf association-comeback 1000-20000ms ap(config-ssid)# 11w-pmf saquery-retry 100-500ms These commands are optional.
Chapter 12 Configuring WDS, Fast Secure Roaming, Radio Management, and Wireless Intrusion Detection Configuring Radio Management Configuring Radio Management When you configure access points on your wireless LAN to use WDS, the access points automatically play a role in radio management when they interact with the WDS device. To complete the radio management configuration, you configure the WDS device to interact with the WLSE device on your network.
Chapter 12 Configuring WDS, Fast Secure Roaming, Radio Management, and Wireless Intrusion Detection Services Configuring Radio Management Figure 12-17 WDS/WNM General Setup Page Step 4 Check the Configure Wireless Network Manager check box. Step 5 In the Wireless Network Manager IP Address field, enter the IP address of the WLSE device on your network. Step 6 Click Apply. The WDS access point is configured to interact with your WLSE device.
Chapter 12 Configuring Access Points to Participate in WIDS Configuring WDS, Fast Secure Roaming, Radio Management, and Wireless Intrusion Detection Configuring Access Points to Participate in WIDS To participate in WIDS, access points must be configured to participate in WDS and in radio management.
Chapter 12 Configuring WDS, Fast Secure Roaming, Radio Management, and Wireless Intrusion Detection Services Configuring Access Points to Participate in WIDS Beginning in privileged EXEC mode, follow these steps to configure the access point to capture and forward 802.11 frames: Command Purpose Step 1 configure terminal Enter global configuration mode. Step 2 interface dot11radio {0 | 1} Enter interface configuration mode for the radio interface. The 2.4-GHz radio and the 2.4-GHz 802.
Chapter 12 Configuring Access Points to Participate in WIDS Configuring WDS, Fast Secure Roaming, Radio Management, and Wireless Intrusion Detection Configuring Monitor Mode Limits You can configure threshold values that the access point uses in monitor mode. When a threshold value is exceeded, the access point logs the information or sends an alert.
CH A P T E R 13 Configuring RADIUS and TACACS+ Servers This chapter describes how to enable and configure the Remote Authentication Dial-In User Service (RADIUS) and Terminal Access Controller Access Control System Plus (TACACS+), that provides detailed accounting information and flexible administrative control over authentication and authorization processes. RADIUS and TACACS+ are facilitated through AAA and can be enabled only through AAA commands.
Chapter 13 Configuring RADIUS and TACACS+ Servers Configuring and Enabling RADIUS Understanding RADIUS RADIUS is a distributed client/server system that secures networks against unauthorized access. RADIUS clients run on supported Cisco devices and send authentication requests to a central RADIUS server, which contains all user authentication and network service access information.
Chapter 13 Configuring RADIUS and TACACS+ Servers Configuring and Enabling RADIUS Figure 13-1 Sequence for EAP Authentication Wired LAN Client device Access point or bridge RADIUS Server 1. Authentication request 3. Username (relay to server) (relay to client) 4. Authentication challenge 5. Authentication response (relay to server) (relay to client) 6. Authentication success 7. Authentication challenge (relay to server) (relay to client) 8. Authentication response 9.
Chapter 13 Configuring RADIUS and TACACS+ Servers Configuring and Enabling RADIUS A method list defines the sequence and methods to be used to authenticate, to authorize, or to keep accounts on a user. You can use method lists to designate one or more security protocols to be used, thus ensuring a backup system if the initial method fails.
Chapter 13 Configuring RADIUS and TACACS+ Servers Configuring and Enabling RADIUS You identify RADIUS security servers by their host name or IP address, host name and specific UDP port numbers, or their IP address and specific UDP port numbers. The combination of the IP address and the UDP port number creates a unique identifier allowing different ports to be individually defined as RADIUS hosts providing a specific AAA service.
Chapter 13 Configuring RADIUS and TACACS+ Servers Configuring and Enabling RADIUS Step 3 Command Purpose radius server {hostname | ip-address}[auth-port port-number] [acct-port port-number] [timeout seconds] [retransmit retries] [key string] Specify the server name of the remote RADIUS server host. Note • (Optional) For auth-port port-number, specify the UDP destination port for authentication requests.(Optional) For acct-port port-number, specify the UDP destination port for accounting requests.
Chapter 13 Configuring RADIUS and TACACS+ Servers Configuring and Enabling RADIUS Command Purpose Step 6 end Return to privileged EXEC mode. Step 7 show running-config Verify your entries. Step 8 copy running-config startup-config (Optional) Save your entries in the configuration file. To remove the specified RADIUS server, use the no radius-server host hostname | ip-address global configuration command.
Chapter 13 Configuring RADIUS and TACACS+ Servers Configuring and Enabling RADIUS Step 3 Command Purpose aaa authentication login {default | list-name} method1 [method2...] Create a login authentication method list. • To create a default list that is used when a named list is not specified in the login authentication command, use the default keyword followed by the methods that are to be used in default situations. The default method list is automatically applied to all interfaces.
Chapter 13 Configuring RADIUS and TACACS+ Servers Configuring and Enabling RADIUS Defining AAA Server Groups You can configure the access point to use AAA server groups to group existing server hosts for authentication. You select a subset of the configured server hosts and use them for a particular service. The server group is used with a global server-host list, which lists the IP addresses of the selected server hosts.
Chapter 13 Configuring RADIUS and TACACS+ Servers Configuring and Enabling RADIUS Step 3 Command Purpose radius-server host {hostname | ip-address} [auth-port port-number] [acct-port port-number] [timeout seconds] [retransmit retries] [key string] Specify the IP address or host name of the remote RADIUS server host. • (Optional) For auth-port port-number, specify the UDP destination port for authentication requests.
Chapter 13 Configuring RADIUS and TACACS+ Servers Configuring and Enabling RADIUS To remove the specified RADIUS server, use the no radius-server host hostname | ip-address global configuration command. To remove a server group from the configuration list, use the no aaa group server radius group-name global configuration command. To remove the IP address of a RADIUS server, use the no server ip-address server group configuration command.
Chapter 13 Configuring RADIUS and TACACS+ Servers Configuring and Enabling RADIUS Beginning in privileged EXEC mode, follow these steps to specify RADIUS authorization for privileged EXEC access and network services: Command Purpose Step 1 configure terminal Enter global configuration mode. Step 2 aaa authorization network radius Configure the access point for user RADIUS authorization for all network-related service requests.
Chapter 13 Configuring RADIUS and TACACS+ Servers Configuring and Enabling RADIUS Note When WDS is configured, PoD requests should be directed to the WDS. The WDS forwards the disassociation request to the parent access point and then purges the session from its own internal tables. Note PoD is supported on the Cisco CNS Access Registrar (CAR) RADIUS server, but not on the Cisco Secure ACS Server, v4.0 and earlier.
Chapter 13 Configuring RADIUS and TACACS+ Servers Configuring and Enabling RADIUS Command Purpose Step 1 configure terminal Enter global configuration mode. Step 2 aaa accounting network start-stop radius Enable RADIUS accounting for all network-related service requests. Step 3 ip radius source-interface bvi1 Configure the access point to send its BVI IP address in the NAS_IP_ADDRESS attribute for accounting records.
Chapter 13 Configuring RADIUS and TACACS+ Servers Configuring and Enabling RADIUS Configuring Settings for All RADIUS Servers Beginning in privileged EXEC mode, follow these steps to configure global communication settings between the access point and all RADIUS servers: Command Purpose Step 1 configure terminal Enter global configuration mode. Step 2 radius-server key string Specify the shared secret text string used between the access point and all RADIUS servers.
Chapter 13 Configuring RADIUS and TACACS+ Servers Configuring and Enabling RADIUS This example shows how to set up two main servers and a local authenticator with a server deadtime of 10 minutes: AP(config)# aaa new-model AP(config)# radius-server host 172.20.0.1 auth-port 1000 acct-port 1001 key 77654 AP(config)# radius-server host 172.10.0.1 auth-port 1645 acct-port 1646 key 77654 AP(config)# radius-server host 10.91.6.
Chapter 13 Configuring RADIUS and TACACS+ Servers Configuring and Enabling RADIUS Command Purpose Step 1 configure terminal Enter global configuration mode. Step 2 radius-server vsa send [accounting | authentication] Enable the access point to recognize and use VSAs as defined by RADIUS IETF attribute 26. • (Optional) Use the accounting keyword to limit the set of recognized vendor-specific attributes to only accounting attributes.
Chapter 13 Configuring RADIUS and TACACS+ Servers Configuring and Enabling RADIUS Step 3 Command Purpose radius-server key string Specify the shared secret text string used between the access point and the vendor-proprietary RADIUS server. The access point and the RADIUS server use this text string to encrypt passwords and exchange responses. Note The key is a text string that must match the encryption key used on the RADIUS server.
Chapter 13 Configuring RADIUS and TACACS+ Servers Configuring and Enabling RADIUS Beginning in privileged EXEC mode, follow these steps to specify WISPr RADIUS attributes on the access point: Command Purpose Step 1 configure terminal Enter global configuration mode. Step 2 snmp-server location location Specify the WISPr location-name attribute.
Chapter 13 Configuring RADIUS and TACACS+ Servers Configuring and Enabling RADIUS RADIUS Attributes Sent by the Access Point Table 13-2 through Table 13-6 identify the attributes sent by an access point to a client in access-request, access-accept, and accounting-request packets.
Chapter 13 Configuring RADIUS and TACACS+ Servers Configuring and Enabling RADIUS Table 13-4 Attributes Sent in Accounting-Request (start) Packets Attribute ID Description 1 User-Name 4 NAS-IP-Address 5 NAS-Port 6 Service-Type 25 Class 41 Acct-Delay-Time 44 Acct-Session-Id 61 NAS-Port-Type VSA (attribute 26) SSID VSA (attribute 26) NAS-Location VSA (attribute 26) Cisco-NAS-Port VSA (attribute 26) Interface Table 13-5 Attributes Sent in Accounting-Request (update) Packets Attr
Chapter 13 Configuring RADIUS and TACACS+ Servers Configuring and Enabling RADIUS Table 13-6 Note Attributes Sent in Accounting-Request (stop) Packets Attribute ID Description 1 User-Name 4 NAS-IP-Address 5 NAS-Port 6 Service-Type 25 Class 41 Acct-Delay-Time 42 Acct-Input-Octets 43 Acct-Output-Octets 44 Acct-Session-Id 46 Acct-Session-Time 47 Acct-Input-Packets 48 Acct-Output-Packets 49 Acct-Terminate-Cause 61 NAS-Port-Type VSA (attribute 26) SSID VSA (attribute 26) NA
Chapter 13 Configuring RADIUS and TACACS+ Servers Configuring and Enabling TACACS+ Configuring and Enabling TACACS+ This section contains this configuration information: • Understanding TACACS+, page 13-23 • TACACS+ Operation, page 13-24 • Configuring TACACS+, page 13-24 • Displaying the TACACS+ Configuration, page 13-29 Understanding TACACS+ TACACS+ is a security application that provides centralized validation of users attempting to gain access to your access point.
Chapter 13 Configuring RADIUS and TACACS+ Servers Configuring and Enabling TACACS+ TACACS+ Operation When an administrator attempts a simple ASCII login by authenticating to an access point using TACACS+, this process occurs: 1. When the connection is established, the access point contacts the TACACS+ daemon to obtain a username prompt, which is then displayed to the administrator. The administrator enters a username, and the access point then contacts the TACACS+ daemon to obtain a password prompt.
Chapter 13 Configuring RADIUS and TACACS+ Servers Configuring and Enabling TACACS+ This section contains this configuration information: • Default TACACS+ Configuration, page 13-25 • Identifying the TACACS+ Server Host and Setting the Authentication Key, page 13-25 • Configuring TACACS+ Login Authentication, page 13-26 • Configuring TACACS+ Authorization for Privileged EXEC Access and Network Services, page 13-27 • Starting TACACS+ Accounting, page 13-28 Default TACACS+ Configuration TACACS+ and
Chapter 13 Configuring RADIUS and TACACS+ Servers Configuring and Enabling TACACS+ Step 5 Command Purpose server ip-address (Optional) Associate a particular TACACS+ server with the defined server group. Repeat this step for each TACACS+ server in the AAA server group. Each server in the group must be previously defined in Step 2. Step 6 end Return to privileged EXEC mode. Step 7 show tacacs Verify your entries.
Chapter 13 Configuring RADIUS and TACACS+ Servers Configuring and Enabling TACACS+ Step 3 Command Purpose aaa authentication login {default | list-name} method1 [method2...] Create a login authentication method list. • To create a default list that is used when a named list is not specified in the login authentication command, use the default keyword followed by the methods that are to be used in default situations. The default method list is automatically applied to all interfaces.
Chapter 13 Configuring RADIUS and TACACS+ Servers Configuring and Enabling TACACS+ The aaa authorization exec tacacs+ local command sets these authorization parameters: Note • Use TACACS+ for privileged EXEC access authorization if authentication was performed by using TACACS+. • Use the local database if authentication was not performed by using TACACS+. Authorization is bypassed for authenticated administrators who log in through the CLI even if authorization has been configured.
Chapter 13 Configuring RADIUS and TACACS+ Servers Configuring and Enabling TACACS+ Command Purpose Step 5 show running-config Verify your entries. Step 6 copy running-config startup-config (Optional) Save your entries in the configuration file. To disable accounting, use the no aaa accounting {network | exec} {start-stop} method1... global configuration command. Displaying the TACACS+ Configuration To display TACACS+ server statistics, use the show tacacs privileged EXEC command.
Chapter 13 Configuring RADIUS and TACACS+ Servers Configuring and Enabling TACACS+ Cisco IOS Software Configuration Guide for Cisco Aironet Access Points 13-30 OL-30644-01
CH A P T E R 14 Configuring VLANs This chapter describes how to configure your access point to operate with the VLANs set up on your wired LAN.
Chapter 14 Configuring VLANs Understanding VLANs Understanding VLANs A VLAN is a switched network that is logically segmented, by functions, project teams, or applications rather than on a physical or geographical basis. For example, all workstations and servers used by a particular workgroup team can be connected to the same VLAN, regardless of their physical connections to the network or the fact that they might be intermingled with other teams.
Chapter 14 Configuring VLANs Understanding VLANs Figure 14-1 LAN and VLAN Segmentation with Wireless Devices VLAN Segmentation Traditional LAN Segmentation VLAN 1 VLAN 2 VLAN 3 LAN 1 Catalyst VLAN switch Shared hub Floor 3 LAN 2 Catalyst VLAN switch Shared hub Floor 2 LAN 3 Floor 1 Catalyst VLAN switch Trunk port SSID 1 = VLAN 1 SSID 2 = VLAN 2 SSID 3 = VLAN 3 52 Shared hub Related Documents These documents provide more detailed information pertaining to VLAN design and configuration: •
Chapter 14 Configuring VLANs Configuring VLANs Incorporating Wireless Devices into VLANs The basic wireless components of a VLAN consist of an access point and a client associated to it using wireless technology. The access point is physically connected through a trunk port to the network VLAN switch on which the VLAN is configured. The physical connection to the VLAN switch is through the access point’s Ethernet port.
Chapter 14 Configuring VLANs Configuring VLANs Configuring a VLAN Note When you configure VLANs on access points, the native VLAN must be VLAN1. In a single architecture, client traffic received by the access point is tunneled through an IP-GRE tunnel, which is established on the access point’s Ethernet interface native VLAN. Because of the IP-GRE tunnel, some users may configure another switch port as VLAN1. This misconfiguration causes errors on the switch port.
Chapter 14 Configuring VLANs Configuring VLANs Step 3 Command Purpose ssid ssid-string Create an SSID and enter SSID configuration mode for the new SSID. The SSID can consist of up to 32 alphanumeric characters. SSIDs are case sensitive. The SSID can consist of up to 32 alphanumeric, case-sensitive, characters.
Chapter 14 Configuring VLANs Configuring VLANs Command Purpose Step 11 end Return to privileged EXEC mode. Step 12 copy running-config startup-config (Optional) Save your entries in the configuration file.
Chapter 14 Configuring VLANs Configuring VLANs Creating a VLAN Name Beginning in privileged EXEC mode, follow these steps to assign a name to a VLAN: Command Purpose Step 1 configure terminal Enter global configuration mode. Step 2 dot11 vlan-name name vlan vlan-id Assign a VLAN name to a VLAN ID. The name can contain up to 32 ASCII characters. Step 3 end Step 4 copy running-config startup-config (Optional) Save your entries in the configuration file. Return to privileged EXEC mode.
Chapter 14 Configuring VLANs Configuring VLANs Using a RADIUS Server for Dynamic Mobility Group Assignment You can configure a RADIUS server to dynamically assign mobility groups to users or user groups. This eliminates the need to configure multiple SSIDs on the access point. Instead, you need to configure only one SSID per access point. When users associate to the SSID, the access point passes their login information to WLSM, which passes the information to the RADIUS server.
Chapter 14 Configuring VLANs VLAN Configuration Example Virtual-Dot11Radio0 Protocols Configured: Address: Bridging Bridge Group 1 Bridging Bridge Group 1 Bridging Bridge Group 1 Virtual LAN ID: Received: 201688 201688 201688 Transmitted: 0 0 0 Received: Transmitted: 2 (IEEE 802.1Q Encapsulation) vLAN Trunk Interfaces: FastEthernet0.2 Virtual-Dot11Radio0.2 Protocols Configured: Dot11Radio0.
Chapter 14 Configuring VLANs VLAN Configuration Example 4. Configure VLAN 1, the Management VLAN, on both the fastEthernet and dot11radio interfaces on the access point. You should make this VLAN the native VLAN. 5. Configure VLANs 2 and 3 on both the fastEthernet and dot11radio interfaces on the access point. 6. Configure the client devices. Table 14-2 shows the commands needed to configure the three VLANs in this example.
Chapter 14 Configuring VLANs VLAN Configuration Example Table 14-3 shows the results of the configuration commands in Table 14-2. Use the show running command to display the running configuration on the access point. Table 14-3 Results of Example Configuration Commands VLAN 1 Interfaces VLAN 2 Interfaces VLAN 3 Interfaces interface Dot11Radio0.
CH A P T E R 15 Configuring QoS This chapter describes how to configure quality of service (QoS) on your access point. With this feature, you can provide preferential treatment to certain traffic at the expense of others. Without QoS, the access point offers best-effort service to each packet, regardless of the packet contents or size. It sends the packets without any assurance of reliability, delay bounds, or throughput.
Chapter 15 Configuring QoS Understanding QoS for Wireless LANs Understanding QoS for Wireless LANs Typically, networks operate on a best-effort delivery basis, which means that all traffic has equal priority and an equal chance of being delivered in a timely manner. When congestion occurs, all traffic has an equal chance of being dropped.
Chapter 15 Configuring QoS Understanding QoS for Wireless LANs QoS on the wireless LAN focuses on downstream prioritization from the access point. Figure 15-1 shows the upstream and downstream traffic flow. Figure 15-1 Upstream and Downstream Traffic Flow Radio downstream Ethernet downstream Client device Radio upstream Access point Ethernet upstream 81732 Wired LAN • The radio downstream flow is traffic transmitted out the access point radio to a wireless client device.
Chapter 15 Configuring QoS Understanding QoS for Wireless LANs Note This release continues to support existing 7920 wireless phone firmware. Do not attempt to use the new standard (IEEE 802.11e draft 13) QBSS Load IE with the 7920 Wireless Phone until new phone firmware is available for you to upgrade your phones. This example shows how to enable IEEE 802.11 phone support with the legacy QBSS Load element: AP(config)# dot11 phone This example shows how to enable IEEE 802.
Chapter 15 Configuring QoS Understanding QoS for Wireless LANs Using Band Select Band Select allows you to move to the less congested radios if your Wi-Fi radios are capable of dual band operation. This feature improves the overall performance of the network. When the feature is enabled, the access point suppresses the probe response to all the new clients for all SSIDs that are Band Select-enabled. To enable Band Select, follow these steps: Step 1 Choose Security > SSID Manager.
Chapter 15 Configuring QoS Configuring QoS - ap (config)# dot11 ssid abcd - ap(config-ssid)# band-select Configuring QoS QoS is disabled by default (however, the radio interface always honors tagged 802.1P packets even when you have not configured a QoS policy). This section describes how to configure QoS on your access point.
Chapter 15 Configuring QoS Configuring QoS Figure 15-2 Step 3 QoS Policies Page With selected in the Create/Edit Policy field, type a name for the QoS policy in the Policy Name entry field. The name can contain up to 25 alphanumeric characters. Do not include spaces in the policy name. Note You can also select two preconfigured QoS policies: WMM and Spectralink. When you select either of these, a set of default classifications are automatically populated in the Classification field.
Chapter 15 Configuring QoS Configuring QoS Step 4 Step 5 If the packets that you need to prioritize contain IP precedence information in the IP header TOS field, select an IP precedence classification from the IP Precedence drop-down list.
Chapter 15 Configuring QoS Configuring QoS • Class Selector 1 • Class Selector 2 • Class Selector 3 • Class Selector 4 • Class Selector 5 • Class Selector 6 • Class Selector 7 • Expedited Forwarding Step 8 Use the Apply Class of Service drop-down list to select the class of service that the access point will apply to packets of the type that you selected from the IP DSCP menu. The access point matches your IP DSCP selection with your class of service selection.
Chapter 15 Configuring QoS Configuring QoS Step 19 Click the Apply button at the bottom of the page to apply the policies to the access point ports. The QoS Policies Advanced Page The QoS Policies Advanced page (Figure 15-3) Figure 15-3 QoS Policies - Advanced Page Select Enable or and click Apply to give top priority to all voice packets.
Chapter 15 Configuring QoS Configuring QoS IGMP Snooping When Internet Group Membership Protocol (IGMP) snooping is enabled on a switch and a client roams from one access point to another, the clients’ multicast session is dropped. When the access points’ IGMP snooping helper is enabled, the access point sends a general query to the wireless LAN, prompting the client to send in an IGMP membership report.
Chapter 15 Configuring QoS Configuring QoS Adjusting Radio Access Categories The access point uses the radio access categories to calculate backoff times for each packet. As a rule, high-priority packets have short backoff times. The default values in the Min and Max Contention Window fields and in the Slot Time fields are based on settings recommended in IEEE Draft Standard 802.11e. For detailed information on these values, consult that standard.
Chapter 15 Configuring QoS Configuring QoS Figure 15-4 Note Radio Access Categories Page In this release, clients are blocked from using an access category when you select Enable for Admission Control. Configuring Nominal Rates When an access point receives an ADDTS (add traffic stream) request from a WMM client, it checks the nominal rate or minimum PHY rate in the ADDTS request against the nominal rates defined by the CLI command traffic-stream.
Chapter 15 Configuring QoS Configuring QoS http://cisco.com/en/US/docs/wireless/access_point/12.4_10b_JA/command/reference/cr12410b-chap2. html#wp3257080 Note The above rates work fine for Cisco phones. Third parties wireless phones may have a different nominal rate or minimum PHY rate. You may need to enable additional nominal rates for these phones. Optimized Voice Settings Using the Admission Control check boxes, you can control client use of the access categories.
Chapter 15 Configuring QoS QoS Configuration Examples Note The admission control settings you have configured in this section will not take effect until you enable admission control on an SSID. Enabling Admission Control This section describes how to enable admission control on an SSID. For a list of Cisco IOS commands for enabling admission control using the CLI, consult the Cisco IOS Command Reference for Cisco Aironet Access Points and Bridges.
Chapter 15 Configuring QoS QoS Configuration Examples Figure 15-5 QoS Policies Page for Voice Example The network administrator also enables the QoS element for wireless phones setting on the QoS Policies - Advanced page. This setting gives priority to all voice traffic regardless of VLAN. Giving Priority to Video Traffic This section demonstrates how you could apply a QoS policy to a VLAN on your network dedicated to video traffic.
Chapter 15 Configuring QoS QoS Configuration Examples Figure 15-6 QoS Policies Page for Video Example Cisco IOS Software Configuration Guide for Cisco Aironet Access Points OL-30644-01 15-17
Chapter 15 Configuring QoS QoS Configuration Examples Cisco IOS Software Configuration Guide for Cisco Aironet Access Points 15-18 OL-30644-01
CH A P T E R 16 Configuring Filters This chapter describes how to configure and manage MAC address, IP, and EtherType filters on the access point using the web-browser interface.
Chapter 16 Configuring Filters Understanding Filters Understanding Filters Protocol filters (IP protocol, IP port, and EtherType) prevent or allow the use of specific protocols through the access point’s Ethernet and radio ports. You can set up individual protocol filters or sets of filters. You can filter protocols for wireless client devices, users on the wired LAN, or both.
Chapter 16 Configuring Filters Configuring Filters Using the Web-Browser Interface Configuring Filters Using the Web-Browser Interface This section describes how to configure and enable filters using the web-browser interface. You complete two steps to configure and enable a filter: 1. Name and configure the filter using the filter setup pages. 2. Enable the filter using the Apply Filters page.
Chapter 16 Configuring Filters Configuring Filters Using the Web-Browser Interface Figure 16-1 MAC Address Filters Page Follow this link path to reach the Address Filters page: 1. Click Services in the page navigation bar. 2. In the Services page list, click Filters. 3. On the Apply Filters page, click the MAC Address Filters tab at the top of the page. Creating a MAC Address Filter Follow these steps to create a MAC address filter: Step 1 Follow the link path to the MAC Address Filters page.
Chapter 16 Configuring Filters Configuring Filters Using the Web-Browser Interface Step 5 Use the Mask entry field to indicate how many bits, from left to right, the filter checks against the MAC address. For example, to require an exact match with the MAC address (to check all bits) enter 0000.0000.0000. To check only the first 4 bytes, enter 0.0.FFFF. Step 6 Select Forward or Block from the Action menu. Step 7 Click Add. The MAC address appears in the Filters Classes field.
Chapter 16 Configuring Filters Configuring Filters Using the Web-Browser Interface If clients are not filtered immediately, click Reload on the System Configuration page to restart the access point. To reach the System Configuration page, click System Software on the task menu and then click System Configuration. Note Client devices with blocked MAC addresses cannot send or receive data through the access point, but they might remain in the Association Table as unauthenticated client devices.
Chapter 16 Configuring Filters Configuring Filters Using the Web-Browser Interface Step 3 Click Advanced Security to browse to the Advanced Security: MAC Address Authentication page. Figure 16-4 shows the MAC Address Authentication page. Figure 16-4 Step 4 Click the Association Access List tab to browse to the Association Access List page. Figure 16-5 shows the Association Access List page.
Chapter 16 Configuring Filters Configuring Filters Using the Web-Browser Interface Step 6 Click Apply. Creating a Time-Based ACL Time-based ACLs are ACLs that can be enabled or disabled for a specific period of time. This capability provides robustness and the flexibility to define access control policies that either permit or deny certain kinds of traffic.
Chapter 16 Configuring Filters Configuring Filters Using the Web-Browser Interface ACL Logging ACL logging is not supported on the bridging interfaces of AP platforms. When applied on bridging interface, it will work as if configured without “log” option and logging would not take effect. However, ACL logging will work well for the BVI interfaces as long as a separate ACL is used for the BVI interface.
Chapter 16 Configuring Filters Configuring Filters Using the Web-Browser Interface Figure 16-6 IP Filters Page Follow this link path to reach the IP Filters page: 1. Click Services in the page navigation bar. 2. In the Services page list, click Filters. 3. On the Apply Filters page, click the IP Filters tab at the top of the page.
Chapter 16 Configuring Filters Configuring Filters Using the Web-Browser Interface Creating an IP Filter Follow these steps to create an IP filter: Step 1 Follow the link path to the IP Filters page. Step 2 If you are creating a new filter, make sure (the default) is selected in the Create/Edit Filter Index menu. To edit an existing filter, select the filter name from the Create/Edit Filter Index menu. Step 3 Enter a descriptive name for the new filter in the Filter Name field.
Chapter 16 Configuring Filters Configuring Filters Using the Web-Browser Interface Step 15 When the filter is complete, click Apply. The filter is saved on the access point, but it is not enabled until you apply it on the Apply Filters page. Step 16 Click the Apply Filters tab to return to the Apply Filters page. Figure 16-7 shows the Apply Filters page. Figure 16-7 Apply Filters Page Step 17 Select the filter name from one of the IP drop-down lists.
Chapter 16 Configuring Filters Configuring Filters Using the Web-Browser Interface Figure 16-8 EtherType Filters Page Follow this link path to reach the EtherType Filters page: 1. Click Services in the page navigation bar. 2. In the Services page list, click Filters. 3. On the Apply Filters page, click the EtherType Filters tab at the top of the page. Creating an EtherType Filter Follow these steps to create an EtherType filter: Step 1 Follow the link path to the EtherType Filters page.
Chapter 16 Configuring Filters Configuring Filters Using the Web-Browser Interface Step 7 Click Add. The EtherType appears in the Filters Classes field. To remove the EtherType from the Filters Classes list, select it and click Delete Class. Repeat Step 4 through Step 7 to add Ethertypes to the filter. Step 8 Select Forward All or Block All from the Default Action menu. The filter’s default action must be the opposite of the action for at least one of the Ethertypes in the filter.
CH A P T E R 17 Configuring CDP This chapter describes how to configure Cisco Discovery Protocol (CDP) on your access point. Note For complete syntax and usage information for the commands used in this chapter, refer to the Cisco Aironet IOS Command Reference for Access Points and Bridges for this release and the Cisco IOS Configuration Fundamentals Command Reference for Release 12.2.
Chapter 17 Configuring CDP Understanding CDP Understanding CDP Cisco Discovery Protocol (CDP) is a device-discovery protocol that runs on all Cisco network equipment. Each device sends identifying messages to a multicast address, and each device monitors the messages sent by other devices. Information in CDP packets is used in network management software such as CiscoWorks2000. CDP is enabled on the access point Ethernet port by default.
Chapter 17 Configuring CDP Configuring CDP Command Purpose Step 1 configure terminal Enter global configuration mode. Step 2 cdp holdtime seconds (Optional) Specify the amount of time a receiving device should hold the information sent by your device before discarding it. The range is from 10 to 255 seconds; the default is 180 seconds. Step 3 cdp timer seconds (Optional) Set the transmission frequency of CDP updates in seconds. The range is from 5 to 254; the default is 60 seconds.
Chapter 17 Configuring CDP Monitoring and Maintaining CDP This example shows how to enable CDP. AP# configure terminal AP(config)# cdp run AP(config)# end Disabling and Enabling CDP on an Interface CDP is enabled by default on all supported interfaces to send and receive CDP information. Beginning in privileged EXEC mode, follow these steps to disable CDP on an interface: Command Purpose Step 1 configure terminal Enter global configuration mode.
Chapter 17 Configuring CDP Monitoring and Maintaining CDP Command Description show cdp Display global information, such as frequency of transmissions and the holdtime for packets being sent. show cdp entry entry-name [protocol | version] Display information about a specific neighbor. You can enter an asterisk (*) to display all CDP neighbors, or you can enter the name of the neighbor about which you want information.
Chapter 17 Configuring CDP Monitoring and Maintaining CDP Device ID: idf2-1-lab-l3.cisco.com Entry address(es): IP address: 10.1.1.10 Platform: cisco WS-C3524-XL, Capabilities: Trans-Bridge Switch Interface: GigabitEthernet0/1, Port ID (outgoing port): FastEthernet0/10 Holdtime : 141 sec Version : Cisco Internetwork Operating System Software IOS (tm) C3500XL Software (C3500XL-C3H2S-M), Version 12.0(5.1)XP, MAINTENANCE IN TERIM SOFTWARE Copyright (c) 1986-1999 by cisco Systems, Inc.
Chapter 17 Configuring CDP Monitoring and Maintaining CDP AP# show cdp neighbor Capability Codes: R - Router, T - Trans Bridge, B - Source Route Bridge S - Switch, H - Host, I - IGMP, r - Repeater Device IDLocal InterfaceHoldtmeCapabilityPlatformPort ID Perdido2Gig 0/6125R S IWS-C3550-1Gig0/6 Perdido2Gig 0/5125R S IWS-C3550-1Gig 0/5 AP# show cdp traffic CDP counters : Total packets output: 50882, Input: 52510 Hdr syntax: 0, Chksum error: 0, Encaps failed: 0 No memory: 0, Invalid packet: 0, Fragmented: 0 C
Chapter 17 Configuring CDP Monitoring and Maintaining CDP Cisco IOS Software Configuration Guide for Cisco Aironet Access Points 17-8 OL-30644-01
CH A P T E R 18 Configuring SNMP This chapter describes how to configure the Simple Network Management Protocol (SNMP) on your access point. Note For complete syntax and usage information for the commands used in this chapter, refer to the Cisco IOS Command Reference for Cisco Aironet Access Points and Bridges for this release and to the Cisco IOS Configuration Fundamentals Command Reference for Release 12.3.
Chapter 18 Configuring SNMP Understanding SNMP Understanding SNMP SNMP is an application-layer protocol that provides a message format for communication between SNMP managers and agents. The SNMP manager can be part of a network management system (NMS) such as CiscoWorks. The agent and management information base (MIB) reside on the access point. To configure SNMP on the access point, you define the relationship between the manager and the agent.
Chapter 18 Configuring SNMP Understanding SNMP Table 18-1 lists the SNMP versions and security levels supported on access points.
Chapter 18 Configuring SNMP Understanding SNMP SNMP Agent Functions The SNMP agent responds to SNMP manager requests as follows: • Get a MIB variable—The SNMP agent begins this function in response to a request from the NMS. The agent retrieves the value of the requested MIB variable and responds to the NMS with that value. • Set a MIB variable—The SNMP agent begins this function in response to a message from the NMS.
Chapter 18 Configuring SNMP Configuring SNMP Configuring SNMP This section describes how to configure SNMP on your access point.
Chapter 18 Configuring SNMP Configuring SNMP Configuring Community Strings You use the SNMP community string to define the relationship between the SNMP manager and the agent. The community string acts like a password to permit access to the agent on the access point.
Chapter 18 Configuring SNMP Configuring SNMP Step 3 Command Purpose access-list access-list-number {deny | permit} source [source-wildcard] (Optional) If you specified an IP standard access list number in Step 2, then create the list, repeating the command as many times as necessary. • For access-list-number, enter the access list number specified in Step 2. • The deny keyword denies access if the conditions are matched. The permit keyword permits access if the conditions are matched.
Chapter 18 Configuring SNMP Configuring SNMP Configuring SNMP-Server Hosts To configure the recipient of an SNMP trap operation, use the following command in global configuration mode: Command Purpose snmp-server host host [traps | informs][version {1 | 2c | 3 [auth | noauth | priv]} ] community-string [udp-port port] [notification-type] Configures the recipient of an SNMP trap operation.
Chapter 18 Configuring SNMP Configuring SNMP Table 18-4 Notification Types (continued) Notification Type Description syslog Enable syslog traps. wlan-wep Enable WEP traps. Some notification types cannot be controlled with the snmp-server enable global configuration command, such as udp-port. These notification types are always enabled. You can use the snmp-server host global configuration command to a specific host to receive the notification types listed in Table 18-4.
Chapter 18 Configuring SNMP Configuring SNMP Command Purpose Step 5 show running-config Verify your entries. Step 6 copy running-config startup-config (Optional) Save your entries in the configuration file. To remove the specified host from receiving traps, use the no snmp-server host host global configuration command. To disable a specific trap type, use the no snmp-server enable traps notification-types global configuration command.
Chapter 18 Configuring SNMP Configuring SNMP This example shows how to assign the strings open and ieee to SNMP, to allow read-write access for both, and to specify that open is the community string for queries on non-IEEE802dot11-MIB objects and ieee is the community string for queries on IEEE802dot11-mib objects: bridge(config)# snmp-server view dot11view ieee802dot11 included bridge(config)# snmp-server community open rw bridge(config)# snmp-server community ieee view ieee802dot11 rw This example show
Chapter 18 Configuring SNMP Displaying SNMP Status AP(config)# snmp-server group admin v3 priv read iso write iso AP(config)# snmp-server user joe admin v3 auth md5 xyz123 priv des56 key007 AP(config)# snmp-server user fred admin v3 encrypted auth md5 abc789 priv des56 key99 Note After you enter the last command in this example, the show running-config and show startup-config commands display only a partial SNMP configuration.
CH A P T E R 19 Configuring Repeater and Standby Access Points and Workgroup Bridge Mode This chapter describes how to configure your access point as a repeater, as a hot standby unit, or as a workgroup bridge.
Chapter 19 Configuring Repeater and Standby Access Points and Workgroup Bridge Mode Understanding Repeater Access Points Understanding Repeater Access Points A repeater access point is not connected to the wired LAN; it is placed within radio range of an access point connected to the wired LAN to extend the range of your infrastructure or to overcome an obstacle that blocks radio communication. You can configure either the 2.4-GHz radio or the 5-GHz radio as a repeater.
Chapter 19 Configuring Repeater and Standby Access Points and Workgroup Bridge Mode Configuring a Repeater Access Point Figure 19-1 Access Point as a Repeater Access Point (Root Unit) Wired LAN 66000 Access Point (Repeater) Configuring a Repeater Access Point This section provides instructions for setting up an access point as a repeater and includes these sections: • Default Configuration, page 19-4 • Guidelines for Repeaters, page 19-4 • Setting Up a Repeater, page 19-5 • Verifying Repeater
Chapter 19 Configuring Repeater and Standby Access Points and Workgroup Bridge Mode Configuring a Repeater Access Point Default Configuration Access points are configured as root units by default. Table 19-1 shows the default values for settings that control the access point’s role in the wireless LAN.
Chapter 19 Configuring Repeater and Standby Access Points and Workgroup Bridge Mode Configuring a Repeater Access Point Setting Up a Repeater Beginning in Privileged Exec mode, follow these steps to configure an access point as a repeater: Command Purpose Step 1 configure terminal Enter global configuration mode. Step 2 interface dot11radio { 0 | 1 } Enter interface configuration mode for the radio interface. The 2.4-GHz radio and the 2.4-GHz 802.11n radio is 0. The 5-GHz radio and the 5-GHz 802.
Chapter 19 Configuring Repeater and Standby Access Points and Workgroup Bridge Mode Aligning Antennas Command Purpose Step 9 end Return to privileged EXEC mode. Step 10 copy running-config startup-config (Optional) Save your entries in the configuration file.
Chapter 19 Configuring Repeater and Standby Access Points and Workgroup Bridge Mode Aligning Antennas Use the show dot11 antenna-alignment command to list the MAC addresses and signal level for the last 10 devices that responded to the probe. Verifying Repeater Operation After you set up the repeater, check the LEDs on top of the repeater access point.
Chapter 19 Configuring Repeater and Standby Access Points and Workgroup Bridge Mode Aligning Antennas Command Purpose Step 4 authentication network-eap list-name Enable LEAP authentication on the repeater so that LEAP-enabled client devices can authenticate through the repeater. For list-name, specify the list name you want to use for EAP authentication. You define list names for EAP and for MAC addresses using the aaa authentication login command.
Chapter 19 Configuring Repeater and Standby Access Points and Workgroup Bridge Mode Understanding Hot Standby Step 7 Command Purpose wpa-psk { hex | ascii } [ 0 | 7 ] encryption-key Enter a preshared key for the repeater. Enter the key using either hexadecimal or ASCII characters. If you use hexadecimal, you must enter 64 hexadecimal characters to complete the 256-bit key. If you use ASCII, you must enter from 8 to 63 ASCII characters, and the access point expands the key for you.
Chapter 19 Configuring Repeater and Standby Access Points and Workgroup Bridge Mode Configuring a Hot Standby Access Point Configuring a Hot Standby Access Point When you set up the standby access point, you must enter the MAC address of the access point that the standby unit will monitor. Record the MAC address of the monitored access point before you configure the standby access point. The standby access point also must duplicate several key settings on the monitored access point.
Chapter 19 Configuring Repeater and Standby Access Points and Workgroup Bridge Mode Configuring a Hot Standby Access Point Beginning in Privileged Exec mode, follow these steps to enable hot standby mode on an access point: Command Purpose Step 1 configure terminal Enter global configuration mode. Step 2 iapp standby mac-address Puts the access point into standby mode and specifies the MAC address of radio on the monitored access point.
Chapter 19 Configuring Repeater and Standby Access Points and Workgroup Bridge Mode Configuring a Hot Standby Access Point Step 9 Command Purpose iapp standby timeout seconds Sets the number of seconds the standby access point waits for a response from the monitored access point before it assumes that the monitored access point has malfunctioned. The default timeout is 20 seconds.
Chapter 19 Configuring Repeater and Standby Access Points and Workgroup Bridge Mode Understanding Workgroup Bridge Mode Table 19-2 Standby Status Messages (continued) Message Description IAPP—AP is operating in repeater mode The standby access point has taken over for the monitored access point and is functioning as a repeater access point. Standby status: Initializing The standby access point is initializing link tests with the monitored access point.
Chapter 19 Configuring Repeater and Standby Access Points and Workgroup Bridge Mode Understanding Workgroup Bridge Mode Caution An access point in workgroup bridge mode can introduce a bridge loop if you connect its Ethernet port to your wired LAN. To avoid a bridge loop on your network, disconnect the workgroup bridge from your wired LAN before or soon after you configure it as a workgroup bridge.
Chapter 19 Configuring Repeater and Standby Access Points and Workgroup Bridge Mode Understanding Workgroup Bridge Mode Figure 19-2 shows an access point in workgroup bridge mode.
Chapter 19 Configuring Repeater and Standby Access Points and Workgroup Bridge Mode Understanding Workgroup Bridge Mode bridges, that can associate to an access point or bridge. To increase beyond 20 the number of workgroup bridges that can associate to the access point, the access point must reduce the delivery reliability of multicast packets to workgroup bridges.
Chapter 19 Configuring Repeater and Standby Access Points and Workgroup Bridge Mode Understanding Workgroup Bridge Mode this limited channel set. This limited channel feature also affects the known channel list that the workgroup bridge receives from the access point to which it is currently associated. Channels are added to the known channel list only if they are also a part of the limited channel set.
Chapter 19 Configuring Repeater and Standby Access Points and Workgroup Bridge Mode Workgroup Bridge VLAN Tagging The following example shows how the command is used. In the example, channels 1, 6, and 11 are specified to scan: ap# ap#confure terminal Enter configuration commands, one per line. ap(config)#int d0 ap(config-if)#ssid limited_scan ap(config-if)#station-role workgroup-bridge ap(config-if)#mobile station ap(config-if)#mobile station scan 1 6 11 ap(config-if)#end ap# End with CNTL/Z.
Chapter 19 Configuring Repeater and Standby Access Points and Workgroup Bridge Mode Configuring Workgroup Bridge Mode In the upstream direction, WGB removes the 802.1q header from the packet while sending to the WLC. In the downstream direction while forwarding the packet to the switch connecting the wired-client, the WLC sends the packet to WGB without the 802.1q tag and WGB adds a 4-byte 802.1q header based on the destination mac-address.
Chapter 19 Configuring Repeater and Standby Access Points and Workgroup Bridge Mode Configuring Workgroup Bridge Mode Step 8 Command Purpose parent {1-4} mac-address [timeout] (Optional) Enter the MAC address for the access point to which the workgroup bridge should associate. • Note • You can enter MAC addresses for up to four parent access points, designated 1 to 4. The workgroup bridge always attempts to associate to the best access point from the list of its parent access points.
Chapter 19 Configuring Repeater and Standby Access Points and Workgroup Bridge Mode Using Workgroup Bridges in a Lightweight Environment This example shows how to set up a workgroup bridge with the parent access points, designated 1 and 2: AP(config-if)# parent 1 0040.9631.81cf AP(config-if)# parent 2 0040.9631.
Chapter 19 Configuring Repeater and Standby Access Points and Workgroup Bridge Mode Using Workgroup Bridges in a Lightweight Environment • Note The workgroup bridge can be any autonomous access point that supports the workgroup bridge mode and is running Cisco IOS Release JA or greater (on 32-MB access points) or Cisco IOS Release 12.3(8)JEB or greater (on 16-MB access points). These access points include the AP1040, AP1121, AP1130, AP1140, AP1231, AP1240, AP1250, AP1260 and AP1310.
Chapter 19 Configuring Repeater and Standby Access Points and Workgroup Bridge Mode Using Workgroup Bridges in a Lightweight Environment • Wired clients connected to a workgroup bridge inherit the workgroup bridge’s QoS and AAA override attributes.
Chapter 19 Configuring Repeater and Standby Access Points and Workgroup Bridge Mode Using Workgroup Bridges in a Lightweight Environment the workgroup bridge is added to the wireless LAN controller (WLC) multicast table, and the workgroup bridge converts the VideoStream unicast frame into an Ethernet multicast frame and sends it out to its wired clients.
CH A P T E R 20 Managing Firmware and Configurations This chapter describes how to manipulate the Flash file system, how to copy configuration files, and how to archive (upload and download) software images. Note For complete syntax and usage information for the commands used in this chapter, refer to the Cisco IOS Command Reference for Access Points and Bridges for this release and the Cisco IOS Configuration Fundamentals Command Reference for Release 12.4.
Chapter 20 Managing Firmware and Configurations Working with the Flash File System Displaying Available File Systems To display the available file systems on your access point, use the show file systems privileged EXEC command as shown in this example: ap# show file systems File Systems: * Size(b) 16128000 16128000 32768 - Free(b) 11118592 11118592 26363 - Type flash unknown nvram network opaque opaque opaque opaque network network Flags rw rw rw rw rw rw ro ro rw rw Prefixes flash: zflash: nvram:
Chapter 20 Managing Firmware and Configurations Working with the Flash File System Setting the Default File System You can specify the file system or directory that the system uses as the default file system by using the cd filesystem: privileged EXEC command. You can set the default file system to omit the filesystem: argument from related commands. For example, for all privileged EXEC commands that have the optional filesystem: argument, the system uses the file system specified by the cd command.
Chapter 20 Managing Firmware and Configurations Working with the Flash File System Creating and Removing Directories Beginning in privileged EXEC mode, follow these steps to create and remove a directory: Step 1 Command Purpose dir filesystem: Display the directories on the specified file system. For filesystem:, use flash: for the system board Flash device. Step 2 mkdir old_configs Create a new directory. The command example shows how to create the directory named old_configs.
Chapter 20 Managing Firmware and Configurations Working with the Flash File System • From a startup configuration to a startup configuration • From a device to the same device (for example, the copy flash: flash: command is invalid) For specific examples of using the copy command with configuration files, see the “Working with Configuration Files” section on page 20-7.
Chapter 20 Managing Firmware and Configurations Working with the Flash File System • For the Trivial File Transfer Protocol (TFTP), the syntax is tftp:[[//location]/directory]/tar-filename.tar The tar-filename.tar is the tar file to be created. For flash:/file-url, specify the location on the local Flash file system from which the new tar file is created. You can also specify an optional list of files or directories within the source directory to write to the new tar file.
Chapter 20 Managing Firmware and Configurations Working with Configuration Files Extracting a tar File To extract a tar file into a directory on the Flash file system, use this privileged EXEC command: archive tar /xtract source-url flash:/file-url For source-url, specify the source URL alias for the local or network file system.
Chapter 20 Managing Firmware and Configurations Working with Configuration Files You can copy (download) configuration files from a TFTP, FTP, or RCP server to the running configuration of the access point for various reasons: • To restore a backed-up configuration file. • To use the configuration file for another access point. For example, you might add another access point to your network and want it to have a configuration similar to the original access point.
Chapter 20 Managing Firmware and Configurations Working with Configuration Files configuration is used. However, some commands in the existing configuration might not be replaced or negated. In this case, the resulting configuration file is a mixture of the existing configuration file and the copied configuration file, with the copied configuration file having precedence.
Chapter 20 Managing Firmware and Configurations Working with Configuration Files Preparing to Download or Upload a Configuration File by Using TFTP Before you begin downloading or uploading a configuration file by using TFTP, perform these tasks: • Ensure that the workstation acting as the TFTP server is properly configured. On a Sun workstation, make sure that the /etc/inetd.conf file contains this line: tftp dgram udp wait root /usr/etc/in.tftpd in.
Chapter 20 Managing Firmware and Configurations Working with Configuration Files The configuration file downloads, and the commands are executed as the file is parsed line-by-line. This example shows how to configure the software from the file tokyo-confg at IP address 172.16.2.155: ap# copy tftp://172.16.2.155/tokyo-confg system:running-config Configure using tokyo-confg from 172.16.2.155? [confirm] y Booting tokyo-confg from 172.16.2.
Chapter 20 Managing Firmware and Configurations Working with Configuration Files • The access point forms a password named username@apname.domain. The variable username is the username associated with the current session, apname is the configured host name, and domain is the domain of the access point. The username and password must be associated with an account on the FTP server. If you are writing to the server, the FTP server must be properly configured to accept your FTP write request.
Chapter 20 Managing Firmware and Configurations Working with Configuration Files Step 3 Command Purpose configure terminal Enter global configuration mode on the access point. This step is required only if you override the default remote username or password (see Steps 4, 5, and 6). Step 4 ip ftp username username (Optional) Change the default remote username. Step 5 ip ftp password password (Optional) Change the default password. Step 6 end Return to privileged EXEC mode.
Chapter 20 Managing Firmware and Configurations Working with Configuration Files Command Purpose Step 1 Verify that the FTP server is properly configured by referring to the “Preparing to Download or Upload a Configuration File by Using FTP” section on page 20-12. Step 2 Log into the access point through a Telnet session. Step 3 configure terminal Enter global configuration mode. This step is required only if you override the default remote username or password (see Steps 4, 5, and 6).
Chapter 20 Managing Firmware and Configurations Working with Configuration Files access to a server that supports the remote shell (rsh). (Most UNIX systems support rsh.) Because you are copying a file from one place to another, you must have read permission on the source file and write permission on the destination file. If the destination file does not exist, RCP creates it for you. The RCP requires a client to send a remote username with each RCP request to a server.
Chapter 20 Managing Firmware and Configurations Working with Configuration Files ap1.company.com ap1 For more information, refer to the documentation for your RCP server. Downloading a Configuration File by Using RCP Beginning in privileged EXEC mode, follow these steps to download a configuration file by using RCP: Command Purpose Step 1 Verify that the RCP server is properly configured by referring to the “Preparing to Download or Upload a Configuration File by Using RCP” section on page 20-15.
Chapter 20 Managing Firmware and Configurations Working with Configuration Files %SYS-5-CONFIG_NV:Non-volatile store configured from host2-config by rcp from 172.16.101.101 Uploading a Configuration File by Using RCP Beginning in privileged EXEC mode, follow these steps to upload a configuration file by using RCP: Command Purpose Step 1 Verify that the RCP server is properly configured by referring to the “Preparing to Download or Upload a Configuration File by Using RCP” section on page 20-15.
Chapter 20 Managing Firmware and Configurations Working with Software Images Deleting a Stored Configuration File Caution You cannot restore a file after it has been deleted. To delete a saved configuration from Flash memory, use the delete flash:filename privileged EXEC command. Depending on the setting of the file prompt global configuration command, you might be prompted for confirmation before you delete a file. By default, the access point prompts for confirmation on destructive file operations.
Chapter 20 Managing Firmware and Configurations Working with Software Images Note Starting with the Cisco IOS releases 15.2(4)JB and 12.4(25e)JAO, on Cisco Aironet 3600 series APs, the backup IOS image is deleted from the system board’s Flash memory when the new image is downloaded on to it. This is designed to be so because the system board’s Flash memory, which has a total of 31 MB, does not have enough space to store the recovery image, the new image, and the backup image.
Chapter 20 Managing Firmware and Configurations Working with Software Images tftp dgram udp wait root /usr/etc/in.tftpd in.tftpd -p -s /tftpboot Make sure that the /etc/services file contains this line: tftp 69/udp Note You must restart the inetd daemon after modifying the /etc/inetd.conf and /etc/services files. To restart the daemon, either stop the inetd process and restart it, or enter a fastboot command (on the SunOS 4.x) or a reboot command (on Solaris 2.x or SunOS 5.x).
Chapter 20 Managing Firmware and Configurations Working with Software Images Step 3 Step 4 Command Purpose archive download-sw /overwrite /reload tftp:[[//location]/directory]/image-name Download the image file from the TFTP server to the access point, and overwrite the current image. archive download-sw /leave-old-sw /reload tftp:[[//location]/directory]/image-name Note • The /overwrite option overwrites the software image in Flash with the downloaded image.
Chapter 20 Managing Firmware and Configurations Working with Software Images The algorithm installs the downloaded image on the system board Flash device (flash:). The image is placed into a new directory named with the software version string, and the system boot path variable is updated to point to the newly installed image.
Chapter 20 Managing Firmware and Configurations Working with Software Images • Downloading an Image File by Using FTP, page 20-24 • Uploading an Image File by Using FTP, page 20-26 Preparing to Download or Upload an Image File by Using FTP You can copy images files to or from an FTP server. The FTP protocol requires a client to send a remote username and password on each FTP request to a server.
Chapter 20 Managing Firmware and Configurations Working with Software Images For more information, refer to the documentation for your FTP server. Downloading an Image File by Using FTP You can download a new image file and overwrite the current image or keep the current image. Caution For the download and upload algorithms to operate properly, do not rename image directories.
Chapter 20 Managing Firmware and Configurations Working with Software Images Command Step 7 Step 8 Purpose archive download-sw /overwrite /reload Download the image file from the FTP server to the access ftp:[[//username[:password]@location]/directory] point, and overwrite the current image. /image-name.tar • The /overwrite option overwrites the software image in Flash with the downloaded image.
Chapter 20 Managing Firmware and Configurations Working with Software Images If you specify the /leave-old-sw, the existing files are not removed. If there is not enough space to install the new image and keep the running image, the download process stops, and an error message is displayed. The algorithm installs the downloaded image onto the system board Flash device (flash:).
Chapter 20 Managing Firmware and Configurations Working with Software Images Command Purpose Step 6 end Return to privileged EXEC mode. Step 7 archive upload-sw Upload the currently running access point image to the FTP ftp:[[//[username[:password]@]location]/directory]/ server. image-name.tar • For //username:password, specify the username and password. These must be associated with an account on the FTP server.
Chapter 20 Managing Firmware and Configurations Working with Software Images RCP requires a client to send a remote username on each RCP request to a server. When you copy an image from the access point to a server by using RCP, the Cisco IOS software sends the first valid username in this list: • The username specified in the archive download-sw or archive upload-sw privileged EXEC command if a username is specified.
Chapter 20 Managing Firmware and Configurations Working with Software Images Downloading an Image File by Using RCP You can download a new image file and replace or keep the current image. Caution For the download and upload algorithms to operate properly, do not rename image directories. Beginning in privileged EXEC mode, follow Steps 1 through 6 to download a new image from an RCP server and overwrite the existing image. To keep the current image, skip Step 6.
Chapter 20 Managing Firmware and Configurations Working with Software Images Step 6 Step 7 Command Purpose archive download-sw /overwrite /reload rcp:[[[//[username@]location]/directory]/image-na me.tar] Download the image file from the RCP server to the access point, and overwrite the current image. archive download-sw /leave-old-sw /reload rcp:[[[//[username@]location]/directory]/image-na me.tar] Note • The /overwrite option overwrites the software image in Flash with the downloaded image.
Chapter 20 Managing Firmware and Configurations Working with Software Images Note If the Flash device has sufficient space to hold two images and you want to overwrite one of these images with the same version, you must specify the /overwrite option. If you specify the /leave-old-sw, the existing files are not removed. If there is not enough room to install the new image an keep the running image, the download process stops, and an error message is displayed.
Chapter 20 Managing Firmware and Configurations Working with Software Images Command Purpose Step 5 end Return to privileged EXEC mode. Step 6 archive upload-sw rcp:[[[//[username@]location]/directory]/image-na me.tar] Upload the currently running access point image to the RCP server. • For //username, specify the username; for the RCP copy request to execute, an account must be defined on the network server for the remote username.
Chapter 20 Managing Firmware and Configurations Working with Software Images Step 7 Click the Upgrade button. For additional information, click the Help icon on the Software Upgrade screen. Browser TFTP Interface The TFTP interface allows you to use a TFTP server on a network device to load the access point image file. Follow the instructions below to use a TFTP server: Step 1 Open your Internet browser. You must use Microsoft Internet Explorer (Version 5.x or later) or Netscape Navigator (Version 4.
Chapter 20 Managing Firmware and Configurations Working with Software Images Cisco IOS Software Configuration Guide for Cisco Aironet Access Points 20-34 OL-30644-01
CH A P T E R 21 Configuring System Message Logging This chapter describes how to configure system message logging on your access point. Note For complete syntax and usage information for the commands used in this chapter, refer to the Cisco IOS Configuration Fundamentals Command Reference for Release 12.3.
Chapter 21 Configuring System Message Logging Understanding System Message Logging Understanding System Message Logging By default, access points send the output from system messages and debug privileged EXEC commands to a logging process. The logging process controls the distribution of logging messages to various destinations, such as the logging buffer, terminal lines, or a UNIX syslog server, depending on your configuration. The process also sends messages to the console.
Chapter 21 Configuring System Message Logging Configuring System Message Logging Table 21-1 describes the elements of syslog messages. Table 21-1 System Log Message Elements Element Description seq no: Stamps log messages with a sequence number only if the service sequence-numbers global configuration command is configured. For more information, see the “Enabling and Disabling Sequence Numbers in Log Messages” section on page 21-6. timestamp formats: Date and time of the message or event.
Chapter 21 Configuring System Message Logging Configuring System Message Logging Table 21-2 Default System Message Logging Configuration (continued) Feature Default Setting Timestamps Disabled Synchronous logging Disabled Logging server Disabled Syslog server IP address None configured Server facility Local7 (see Table 21-4 on page 21-11) Server severity Informational (and numerically lower levels; see Table 21-3 on page 21-8) Disabling and Enabling Message Logging Message logging is enab
Chapter 21 Configuring System Message Logging Configuring System Message Logging Setting the Message Display Destination Device If message logging is enabled, you can send messages to specific locations in addition to the console. Beginning in privileged EXEC mode, use one or more of the following commands to specify the locations that receive messages: Command Purpose Step 1 configure terminal Enter global configuration mode.
Chapter 21 Configuring System Message Logging Configuring System Message Logging Enabling and Disabling Timestamps on Log Messages By default, log messages are not timestamped. Beginning in privileged EXEC mode, follow these steps to enable timestamping of log messages: Command Purpose Step 1 configure terminal Enter global configuration mode. Step 2 service timestamps log uptime Enable log timestamps.
Chapter 21 Configuring System Message Logging Configuring System Message Logging This example shows part of a logging display with sequence numbers enabled: 000019: %SYS-5-CONFIG_I: Configured from console by vty2 (10.34.195.36) Defining the Message Severity Level You can limit messages displayed to the selected device by specifying the severity level of the message, which are described in Table 21-3.
Chapter 21 Configuring System Message Logging Configuring System Message Logging Table 21-3 describes the level keywords. It also lists the corresponding UNIX syslog definitions from the most severe level to the least severe level.
Chapter 21 Configuring System Message Logging Configuring System Message Logging Beginning in privileged EXEC mode, follow these steps to change the level and history table size defaults: Command Step 1 Step 2 Purpose Enter global configuration mode. configure terminal logging history level 1 Change the default level of syslog messages stored in the history file and sent to the SNMP server. See Table 21-3 on page 21-8 for a list of level keywords.
Chapter 21 Configuring System Message Logging Configuring System Message Logging Configuring UNIX Syslog Servers The next sections describe how to configure the 4.3 BSD UNIX server syslog daemon and define the UNIX system logging facility. Logging Messages to a UNIX Syslog Daemon Before you can send system log messages to a UNIX syslog server, you must configure the syslog daemon on a UNIX server.
Chapter 21 Configuring System Message Logging Configuring System Message Logging Step 3 Command Purpose logging trap level Limit messages logged to the syslog servers. Be default, syslog servers receive informational messages and lower. See Table 21-3 on page 21-8 for level keywords. Step 4 logging facility facility-type Configure the syslog facility. See Table 21-4 on page 21-11 for facility-type keywords. The default is local7. Step 5 end Return to privileged EXEC mode.
Chapter 21 Configuring System Message Logging Displaying the Logging Configuration Displaying the Logging Configuration To display the current logging configuration and the contents of the log buffer, use the show logging privileged EXEC command. For information about the fields in this display, refer to the Cisco IOS Configuration Fundamentals Command Reference for Release 12.2. To display the logging history file, use the show logging history privileged EXEC command.
CH A P T E R 22 Troubleshooting This chapter provides troubleshooting procedures for basic problems with the wireless device. For the most up-to-date, detailed troubleshooting information, refer to the Cisco TAC website at the following URL (select Top Issues and then select Wireless Technologies): http://www.cisco.
Chapter 22 Troubleshooting Checking the LED Indicators Checking the LED Indicators If your wireless device is not communicating, first check the LED indicators on the device to quickly assess the device’s status. The LED indicator setup is not the same across all Cisco Aironet series access points. Depending on the series, your access point may have a single Status LED indicator, or three indicators – Ethernet LED, Status LED, and Radio LED.
Chapter 22 Troubleshooting Checking Basic Settings On power on, the 1040, 1130, 1140, 1240, 1250, and 1260 series access points are placed into low power mode (both radios are disabled), Cisco IOS software loads and runs, and power negotiation determines if sufficient power is available. If there is sufficient power then the radios are turned on; otherwise, the access point remains in low power mode with the radios disabled to prevent a possible over-current condition.
Chapter 22 Troubleshooting Resetting to the Default Configuration Note The wireless device MAC address that appears on the Status page in the Aironet Client Utility (ACU) is the MAC address for the wireless device radio. The MAC address for the access point Ethernet port is printed on the label on the back of the access point. Resetting to the Default Configuration If you forget the password that allows you to configure the wireless device, you may need to completely reset the configuration.
Chapter 22 Troubleshooting Resetting to the Default Configuration Using the Web Browser Interface Follow these steps to delete the current configuration and return all wireless device settings to the factory defaults using the web browser interface: Step 1 Open your Internet browser. You must use Microsoft Internet Explorer (version 6.x or later) or Netscape Navigator (version 7.x). Step 2 Enter the wireless device’s IP address in the browser address line and press Enter.
Chapter 22 Troubleshooting Reloading the Access Point Image flashfs[0]: flashfs fsck took 0 seconds. ...done initializing Flash. Step 5 Use the dir flash: command to display the contents of Flash and find the config.txt configuration file. ap: dir flash: Directory of flash:/ 3 .rwx 223 env_vars 4 .rwx 2190 config.txt 5 .rwx 27 private.config 150 drwx 320 c350.k9w7.mx.122.13.
Chapter 22 Troubleshooting Reloading the Access Point Image Using the MODE button You can use the MODE button on 1040, 1100 and 1200 series access points to reload the access point image file from an active Trivial File Transfer Protocol (TFTP) server on your network or on a PC connected to the access point Ethernet port. Note You cannot use the mode button to reload the image file on 350 series access points.
Chapter 22 Troubleshooting Reloading the Access Point Image Browser HTTP Interface The HTTP interface enables you to browse to the wireless device image file on your PC and download the image to the wireless device. Follow the instructions below to use the HTTP interface: Step 1 Open your Internet browser. You must use Microsoft Internet Explorer (version 6.x or later) or Netscape Navigator (version 7.x). Step 2 Enter the wireless device’s IP address in the browser address line and press Enter.
Chapter 22 Troubleshooting Reloading the Access Point Image Using the CLI Follow the steps below to reload the wireless device image using the CLI. When the wireless device begins to boot, you interrupt the boot process and use boot loader commands to load an image from a TFTP server to replace the image in the wireless device. Note Your wireless device configuration is not changed when using the CLI to reload the image file. Step 1 Open the CLI using a connection to the wireless device console port.
Chapter 22 Troubleshooting Reloading the Access Point Image extracting c350-k9w7-mx.122-13.JA1/html/level1/appsui.js (558 bytes) extracting c350-k9w7-mx.122-13.JA1/html/level1/back.htm (205 bytes) extracting c350-k9w7-mx.122-13.JA1/html/level1/cookies.js (5027 bytes). extracting c350-k9w7-mx.122-13.JA1/html/level1/forms.js (15704 bytes)... extracting c350-k9w7-mx.122-13.JA1/html/level1/sitewide.js (14621 bytes)... extracting c350-k9w7-mx.122-13.JA1/html/level1/config.
Chapter 22 Troubleshooting Image Recovery on the 1520 Access Point Step 6 Click IOS. A list of available Cisco IOS versions appears. Step 7 Choose the version you wish to download. The download page for the version you chose appears. Step 8 Click WIRELESS LAN. Step 9 If prompted, enter your login and password. The Encryption Software Export Distribution Authorization page appears. Step 10 Answer the questions on the page and click Submit. The Download page appears. Step 11 Click DOWNLOAD.
Chapter 22 Troubleshooting Image Recovery on the 1520 Access Point To perform image recovery on the 1520 access point, follow these steps: Step 1 With the access point powered off, connect an RJ45 console cable to the console port (). The console port is the black plastic RJ45 jack inside the unit. Figure 22-1 Connecting an RJ45 Console Cable to the Console Port Step 2 Configure the terminal emulator for 8 databits, no parity, no flow control, 9600 bps. Step 3 Apply power to the access point.
Chapter 22 Troubleshooting Image Recovery on the 1520 Access Point Note If the ENABLE_BREAK=no environmental variable is set, you will not be able to escape to the bootloader. Step 5 Cable the 1520 access point’s LAN port (“PoE In”) to a TFTP server. For example, a Windows PC with tftpd32 installed. Step 6 Install a good copy of the c1520 k9w8 IOS image on the TFTP server. Step 7 Configure the TFTP server's LAN interface with a static IP address. For example, 10.1.1.1.
Chapter 22 Troubleshooting Image Recovery on the 1520 Access Point MAC_ADDR=00:1F:27:75:DB:00 MAC_ADDR_BLOCK_SIZE=01 00 NETMASK=255.255.255.
A P P E N D I X A Protocol Filters The tables in this appendix list some of the protocols that you can filter on the access point. The tables include: • Table A-1, EtherType Protocols • Table A-2, IP Protocols • Table A-3, IP Port Protocols In each table, the Protocol column lists the protocol name, the Additional Identifier column lists other names for the same protocol, and the ISO Designator column lists the numeric designator for each protocol.
Appendix A Table A-1 Protocol Filters EtherType Protocols Protocol Additional Identifier ISO Designator ARP — 0x0806 RARP — 0x8035 IP — 0x0800 Berkeley Trailer Negotiation — 0x1000 LAN Test — 0x0708 X.25 Level3 X.25 0x0805 Banyan — 0x0BAD CDP — 0x2000 DEC XNS XNS 0x6000 DEC MOP Dump/Load — 0x6001 DEC MOP MOP 0x6002 DEC LAT LAT 0x6004 Ethertalk — 0x809B Appletalk ARP Appletalk AARP 0x80F3 IPX 802.2 — 0x00E0 IPX 802.
Appendix A Protocol Filters Table A-2 IP Protocols Protocol Additional Identifier ISO Designator dummy — 0 Internet Control Message Protocol ICMP 1 Internet Group Management Protocol IGMP 2 Transmission Control Protocol TCP 6 Exterior Gateway Protocol EGP 8 PUP — 12 CHAOS — 16 User Datagram Protocol UDP 17 XNS-IDP IDP 22 ISO-TP4 TP4 29 ISO-CNLP CNLP 80 Banyan VINES VINES 83 Encapsulation Header encap_hdr 98 Spectralink Voice Protocol SVP Spectralink 119 raw
Appendix A Table A-3 Protocol Filters IP Port Protocols Protocol Additional Identifier ISO Designator TCP port service multiplexer tcpmux 1 echo — 7 discard (9) — 9 systat (11) — 11 daytime (13) — 13 netstat (15) — 15 Quote of the Day qotd quote 17 Message Send Protocol msp 18 ttytst source chargen 19 FTP Data ftp-data 20 FTP Control (21) ftp 21 Secure Shell (22) ssh 22 Telnet — 23 Simple Mail Transport Protocol SMTP mail 25 time timserver 37 Resource Loc
Appendix A Protocol Filters Table A-3 IP Port Protocols (continued) Protocol Additional Identifier ISO Designator TSAP iso-tsap 102 CSO Name Server cso-ns csnet-ns 105 Remote Telnet rtelnet 107 Postoffice v2 POP2 POP v2 109 Postoffice v3 POP3 POP v3 110 Sun RPC sunrpc 111 tap ident authentication auth 113 sftp — 115 uucp-path — 117 Network News Transfer Protocol Network News readnews nntp 119 USENET News Transfer Protocol Network News readnews nntp 119 Network T
Appendix A Table A-3 Protocol Filters IP Port Protocols (continued) Protocol Additional Identifier ISO Designator SNMP Unix Multiplexer smux 199 AppleTalk Routing at-rtmp 201 AppleTalk name binding at-nbp 202 AppleTalk echo at-echo 204 AppleTalk Zone Information at-zis 206 NISO Z39.
A P P E N D I X B Supported MIBs This appendix lists the Simple Network Management Protocol (SNMP) Management Information Bases (MIBs) that the access point supports for this software release. The Cisco IOS SNMP agent supports SNMPv1, SNMPv2, and SNMPv3.
Appendix B Supported MIBs Using FTP to Access the MIB Files • CISCO-MEMORY-POOL-MIB • CISCO-PROCESS-MIB • CISCO-PRODUCTS-MIB • CISCO-SMI-MIB • CISCO-TC-MIB • CISCO-SYSLOG-MIB • CISCO-WDS-INFO-MIB • ENTITY-MIB • IF-MIB • OLD-CISCO-CHASSIS-MIB • OLD-CISCO-SYS-MIB • OLD-CISCO-SYSTEM-MIB • OLD-CISCO-TS-MIB • RFC1213-MIB • RFC1398-MIB • SNMPv2-MIB • SNMPv2-SMI • SNMPv2-TC Using FTP to Access the MIB Files Follow these steps to obtain each MIB file by using FTP: Step 1 Use
A P P E N D I X C Error and Event Messages This appendix lists the CLI error and event messages. The appendix contains the following sections: • Conventions, page C-2 • Software Auto Upgrade Messages, page C-3 • Association Management Messages, page C-5 • Unzip Messages, page C-6 • System Log Messages, page C-7 • 802.
Appendix C Error and Event Messages Conventions Conventions System error messages are displayed in the format shown in Table C-1. Table C-1 Message Component System Error Message Format Description Example Error identifier A string categorizing the error. STATION-ROLE Software component A string identifying the software component of the error. AUTO_INSTALL Severity Level A numerical string 0-LOG-EMERG—emergency situation, nothing is indicating the severity of the functional error.
Appendix C Error and Event Messages Software Auto Upgrade Messages Software Auto Upgrade Messages Error Message SW-AUTO-UPGRADE-2-FATAL_FAILURE: “Attempt to upgrade software failed, software on flash may be deleted. Please copy software into flash. Explanation Auto upgrade of the software failed. The software on the flash might have been deleted. Copy software into the flash. Recommended Action Copy software before rebooting the unit.
Appendix C Error and Event Messages Software Auto Upgrade Messages Error Message AUTO-INSTALL-4-IP_ADDRESS_DHCP: “The radio is operating in automatic install mode and has set ip address dhcp.” Explanation The radio is operating in automatic install mode and is configured to receive an IP address through DHCP. Recommended Action Use the station-role configuration interface command to configure the radio for a role other than install mode. Error Message AUTO-INSTALL-6_STATUS: “%s” %s. RSSI=-%d dBm.
Appendix C Error and Event Messages Association Management Messages Association Management Messages Error Message DOT11-3-BADSTATE: “%s %s ->%s.” Explanation 802.11 association and management uses a table-driven state machine to keep track and transition an association through various states. A state transition occurs when an association receives one of many possible events. When this error occurs, it means that an association received an event that it did not expect while in this state.
Appendix C Error and Event Messages Unzip Messages Error Message DOT11-4-DIVER_USED: Interface $s, Mcs rates 8-15 disabled due to only one transmit or recieve antenna enabled Explanation These rates require that at least 2 receive and transmit antennas be enabled. Recommended Action Copy the error message exactly as it appears on the console or in the system log. Research and attempt to resolve the error using the Output Interpreter https://www.cisco.com/cgi-bin/Support/OutputInterpreter/home.pl.
Appendix C Error and Event Messages System Log Messages System Log Messages Error Message %DOT11-4-LOADING_RADIO: Interface [chars], loading the radio firmware ([chars]) Explanation The radio has been stopped to load new firmware. Recommended Action None. Error Message %LINEPROTO-5-UPDOWN: Line protocol on Interface [chars], changed state to [chars] Explanation The data link level line protocol has changed state. Recommended Action None.
Appendix C Error and Event Messages 802.11 Subsystem Messages 802.11 Subsystem Messages Error Message DOT11-6-FREQ_USED: “Interface %s, frequency %d selected.” Explanation After scanning for an unused frequency, the indicated interface selected the displayed frequency. Recommended Action None. Error Message DOT11-4-NO-VALID_INFRA_SSID: “No infrastructure SSID configured. %s not started.” Explanation No infrastructure SSID was configured and the indicated interface was not started.
Appendix C Error and Event Messages 802.11 Subsystem Messages Error Message DOT11-3-TX_PWR_OUT_OF_RANGE: “Interface %s Radio transmit power out of range.” Explanation The transmitter power level is outside the normal range on the indicated radio interface. Recommended Action Remove unit from the network and service. Error Message DOT11-3-RADIO_RF_LO: “Interface %s Radio cannot lock RF freq.
Appendix C Error and Event Messages 802.11 Subsystem Messages Error Message DOT11-6-DFS_SCAN_START: “DFS: Scanning frequency %d MHz for %d seconds.” Explanation The device has begun its DFS scanning process. Recommended Action None. Error Message DOT11-6-DFS_TRIGGERED: “DFS: triggered on frequency %d MHz.” Explanation DFS has detected RADAR signals on the indicated frequency. Recommended Action None. The channel will be placed on the non-occupancy list for 30 minutes and a new channel will be selected.
Appendix C Error and Event Messages 802.11 Subsystem Messages Error Message DOT114-NO_MBSSID_BACKUP_VLAN: “Backup VLANs cannot be configured if MBSSID is not enabled. %s not started. Explanation To enable a backup VLAN, MBSSID mode should be configured. Recommended Action Configure MBSSID on the device. Error Message IF-4-MISPLACED_VLAN_TAG: “Detected a misplaced VLAN tag on source Interface %. Dropping packet. Explanation Received an 802.
Appendix C Error and Event Messages 802.11 Subsystem Messages Error Message DOT11-2-UPLINK_FAILED: “Uplink to parent failed: %s.” Explanation The connection to the parent access point failed for the displayed reason. The uplink will stop its connection attempts. Recommended Action Try resetting the uplink interface. Contact Technical Support if the problem persists. Error Message DOT11-4-CANT_ASSOC: “Interface %, cannot associate %s.
Appendix C Error and Event Messages 802.11 Subsystem Messages Error Message DOT11-4-MAXRETRIES: “Packet to client %e reached max retries, removing the client.” Explanation The maximum packet send retry limit has been reached and the client is being removed. This error message indicates that the access point attempts to poll the client a certain number of times, but does not receive a response. Therefore, the client is removed from the association table.
Appendix C Error and Event Messages 802.11 Subsystem Messages Error Message DOT11-4-RADIO_NO_FREQ: “Interface &s, all frequencies have been blocked, interface not started.” Explanation The frequencies set for operation are invalid and a channel scan is being forced in order to select a valid operating frequency. Recommended Action None. Error Message DOT11-4-BCN_BURST_NO_MBSSID: “Beacon burst mode is enabled but MBSSID is not enabled, %s is down.
Appendix C Error and Event Messages 802.11 Subsystem Messages Error Message DOT11-4-FLASHING_RADIO: “Interface %s, flashing radio firmware (%s).” Explanation The indicated interface radio has been stopped to load the indicated new firmware. Recommended Action None. Error Message DOT11-4-LOADING_RADIO: “Interface %s, loading the radio firmware (%s).” Explanation The indicated interface radio has been stopped to load new indicated firmware. Recommended Action None.
Appendix C Error and Event Messages 802.11 Subsystem Messages Error Message DOT11-4-UPLINK_LINK_DOWN: “Interface %s, parent lost: %s.” Explanation The connection to the parent access point on the indicated interface was lost for the reason indicated. The unit will try to find a new parent access point. Recommended Action None. Error Message DOT11-4-CANT_ASSOC: Cannot associate: $s Explanation The unit could not establish a connection to a parent access point for the displayed reason.
Appendix C Error and Event Messages 802.11 Subsystem Messages Error Message DOT11-6-ANTENNA_GAIN: “Interface %s, antenna position/gain changed, adjusting transmitter power.” Explanation The antenna gain has changed so the list of allowed power levels must be adjusted. Recommended Action None. Error Message DOT11-4-DIVER_USED: “Interface %s Mcs rates 8-15 disabled due to only one transmit or receive antenna enabled.” Explanation The rates listed require at least 2 receive or transmit antennas be enabled.
Appendix C Error and Event Messages 802.11 Subsystem Messages Error Message DOT11-4-CKIP_MIC_FAILURE: “CKIP MIC failure was detected on a packet (Digest 0x%x) received from %e).” Explanation CKIP MIC failure was detected on a frame. A failure of the CKIP MIC in a received packet almost indicates an active attack. Recommended Action None. Error Message DOT11-4-CKIP_REPLAY: “CKIP SEQ replay was detected on a packet (SEQ 0x&x) received from %e.” Explanation CKIP SEQ replay was detected on a frame.
Appendix C Error and Event Messages 802.11 Subsystem Messages Error Message DOT11-4-TKIP_REPLAY: “TKIP TSC replay was detected on a packet (TSC 0x%ssx received from %e).” Explanation TKIP TSC replay was detected on a frame. A replay of the TKIP TSC in a received packet almost indicates an active attack. Recommended Action None. Error Message DOT11-4-WLAN_RESOURCE_LIMIT: “WLAN limit exceeded on interface %s and network-id %d.” Explanation This access point has reached its limit of 16 VLANs or WLANs.
Appendix C Error and Event Messages 802.11 Subsystem Messages Error Message SOAP_FIPS-2-INIT_FAILURE: “SOAP FIPS initialization failure: %s.” Explanation SOAP FIPS initialization failure. Recommended Action None. Error Message SOAP_FIPS-4-PROC_FAILURE: “SOAP FIPS test failure: %s.” Explanation SOAP FIPS test critical failure. Recommended Action None. Error Message SOAP_FIPS-4-PROC_WARNING: “SOAP FIPS test warning: %s.” Explanation SOAP FIPS test non-critical failure. Recommended Action None.
Appendix C Error and Event Messages Inter-Access Point Protocol Messages Error Message DOT11-6-MCAST_DISCARD: “%s mode multicast packets are discarded in %s multicast mode.” Explanation The access point configured as a workgroup bridge and drops infrastructure mode multicast packets in client mode and drops client mode multicast packets in infrastructure mode. Recommended Action None. Inter-Access Point Protocol Messages Error Message DOT11-6-STANDBY_ACTIVE: “Standby to Active, Reason = %s (%d).
Appendix C Error and Event Messages Local Authenticator Messages Error Message RADSRV-4-NAS_KEYMIS: NAS shared key mismatch. Explanation The local RADIUS server received an authentication request but the message signature indicates that the shared key text does not match. Recommended Action Correct the shared key configuration on either the NAS or on the local RADIUS server.
Appendix C Error and Event Messages Local Authenticator Messages Error Message DPT1X-SHIM-4-PLUMB_KEY_ERR: “Unable to plumb keys - %s.” Explanation An unexpected error occurred when the shim layer tried to plumb the keys. Recommended Action None. Error Message DOT1X-SHIM-3-PKT_TX_ERR: “Unable to tx packet -%s.” Explanation An unexpected error occurred when the shim layer tried to transmit the dot1x packet. Recommended Action None. Error Message DOT1X-SHIM-3-ENCAP_ERR: “Packet encap failed for %e.
Appendix C Error and Event Messages WDS Messages WDS Messages Error Message WLCCP-WDS-6-REPEATER_STOP: WLCCP WDS on Repeater unsupported, WDS is disabled. Explanation Repeater access points do not support WDS. Recommended Action None. Error Message WLCCP-WDS-6-PREV_VER_AP: A previous version of AP is detected. Explanation The WDS device detected a previous version of the access point. Recommended Action None.
Appendix C Error and Event Messages Mini IOS Messages Error Message WLCCP-NM-6-WNM_LINK_UP: Link to WNM is up Explanation The network manager is now responding to keep-active messages. Recommended Action None. Error Message WLCCP-NM-6-RESET: Resetting WLCCP-NM Explanation A change in the network manager IP address or a temporary out-of-resource state might have caused a reset on the WDS network manager subsystem, but operation will return to normal shortly. Recommended Action None.
Appendix C Error and Event Messages Access Point/Bridge Messages Access Point/Bridge Messages Error Message APBR-4-SEND_PCKT_FAILED: Failed to Send Packet on port ifDescr (error= errornum)errornum: status error number HASH(0x2096974) Explanation The access point or bridge failed to send a packet. This condition might be seen if there is external noise or interference. Recommended Action Check for sources of noise or interference.
Appendix C Error and Event Messages LWAPP Error Messages LWAPP Error Messages Error Message LWAPP-3-CDP: Failure sending CDP Update to Controller. Reason “s” Explanation Could not send access point CDP update to controller Recommended Action None. Error Message LWAPP-3-CLIENTERRORLOG: “s” Explanation This log message indicates an LWAPP client error event. The message is logged to help in troubleshooting LWAPP access point join problems. Recommended Action None.
Appendix C Error and Event Messages Sensor Messages Sensor Messages Error Message SENSOR-3-TEMP_CRITICAL: System sensor “d” has exceeded CRITCAL temperature thresholds Explanation One of the measured environmental test points exceeds the extreme threshold. Recommended Action Correct the specified condition, or the system may shut itself down as a preventive measure. Enter the show environment all to help determine if this is due to temperature or volatage condition.
Appendix C Error and Event Messages SNMP Error Messages Error Message SENSOR-3-VOLT_NORMAL: System sensor “d”(“d”) is now operating under NORMAL voltage Explanation One of the measured environmental test points is under normal operating voltage. Recommended Action None. Error Message SENSOR-3-VOLT_WARNING: Voltage monitor “d”(“d”) has exceeded voltage thresholds Explanation One of the measured voltage test points indicates that voltage is out of normal range.
Appendix C Error and Event Messages SSH Error Messages Error Message SNMP-4-NOENGINEIDV6: Remote snmpEngineID for Unrecognized format ‘ %P’ not found when creating user: “s” Explanation An attempt to create a user failed.This is likely because the engine ID of the remote agent (or SNMP manager) was not configured. Recommended Action Configure the remote snmpEngineID and reconfigure the user.
Appendix C Error and Event Messages SSH Error Messages Error Message SSH-5-SSH_CLOSE: SSH Session from “%s”(tty = “%d”) for user ’”%s”’ using crypto cipher ’”%s”’ closed Explanation The SSH Session closure information Recommended Action None - informational message Error Message SSH-5-SSH_SESSION: SSH Session request from ”%s” (tty = “%d”) using crypto cipher ’”%s”’ ”%s” Explanation The SSH session request information Recommended Action None - informational message Error Message SSH-5-SSH_USERAUTH: User
Appendix C Error and Event Messages SSH Error Messages Cisco IOS Software Configuration Guide for Cisco Aironet Access Points C-32 OL-30644-01
GLOSSARY 802.11 The IEEE standard that specifies carrier sense media access control and physical layer specifications for 1- and 2-megabit-per-second (Mbps) wireless LANs operating in the 2.4-GHz band. 802.11a The IEEE standard that specifies carrier sense media access control and physical layer specifications for wireless LANs operating in the 5-GHz frequency band. 802.11b The IEEE standard that specifies carrier sense media access control and physical layer specifications for 5.
Glossary beacon A wireless LAN packet that signals the availability and presence of the wireless device. Beacon packets are sent by access points and base stations; however, client radio cards send beacons when operating in computer to computer (Ad Hoc) mode. BOOTP Boot Protocol. A protocol used for the static assignment of IP addresses to devices on the network. BPSK A modulation technique used by IEEE 802.11b-compliant wireless LANs for transmission at 1 Mbps.
Glossary dipole A type of low-gain (2.2-dBi) antenna consisting of two (often internal) elements. domain name The text name that refers to a grouping of networks or network resources based on organization-type or geography; for example: name.com—commercial; name.edu—educational; name.gov—government; ISPname.net—network provider (such as an ISP); name.ar—Argentina; name.au—Australia; and so on. DNS Domain Name System server. A server that translates text names into IP addresses.
Glossary IP subnet mask The number used to identify the IP subnetwork, indicating whether the IP address can be recognized on the LAN or if it must be reached through a gateway. This number is expressed in a form similar to an IP address; for example: 255.255.255.0. isotropic An antenna that radiates its signal in a spherical pattern. M MAC Media Access Control address. A unique 48-bit number used in Ethernet data packets to identify an Ethernet device, such as an access point or your client adapter.
Glossary roaming A feature of some Access Points that allows users to move through a facility while maintaining an unbroken connection to the LAN. RP-TNC A connector type unique to Cisco Aironet radios and antennas. Part 15.203 of the FCC rules covering spread spectrum devices limits the types of antennas that may be used with transmission equipment.
Glossary W WDS Wireless Domain Services (WDS). An access point providing WDS on your wireless LAN maintains a cache of credentials for CCKM-capable client devices on your wireless LAN. When a CCKM-capable client roams from one access point to another, the WDS access point forwards the client’s credentials to the new access point with the multicast key. Only two packets pass between the client and the new access point, greatly shortening the reassociation time. WEP Wired Equivalent Privacy.
